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The  ID  card’s  connected  to  the  parking  card. 


The  parking  card’s  connected  to  the  access  card. 
The  access  card’s  connected  to  the  time  card. 
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The  time  card’s  connected  to  the  log-on  card. 
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The  log-on  card’s  connected  to  the  copier  card. 
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The  copier  card’s  connected  to  the  cafeteria  card. 
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The  cafeteria  card’s  connected  to  the  club  card. 


In  fact,  they’re  all  one  card. 
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Welcome  to  iCLASS  from  HID,  where  the  possibilities  are 
endless.  For  access  control,  it  offers  the  security  of  mutual 
authentication.  And  its  contactless  smart  card  capabilities 
open  the  door  to  adding  biometrics,  time  and  attendance, 
vending,  network  access  and  more.  If  you  can  imagine  it, 
iCLASS  can  do  it. 


possibilities. 


April  15, 2005  V  0  L  .  4  ,  N  0 . 5 


extGeneration 


REPORT 


SPECIAL 


Security  Convergence 


John  Petruzzi,  director 
of  enterprise  security  for 
Constellation  Energy  Group, 
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7  Briefing 

Wanted:  C-level  exec  with  tech  savvy,  physical  know¬ 
how;  Spending  to  fund  convergence  rises;  Timeline: 
Security  through  the  Ages;  Physical  security  product 
watch;  Security  reaches  new  heights  at  Sears  Tower; 
Keeping  track  of  kids;  The  sting  of  virtual  warfare. 
Edited  by  Kathleen  S.  Carr 


16  Taking  Leadership  to  a  New  Level 

INTRODUCTION  Ongoing  collaboration  among  security 
functions  leads  to  better  risk  oversight  and  better 
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THEY  WILL  BE 
ROUGHLY 
EQUAL 


For  converged  CSOs, 
which  of  the  following  will 
prove  more  useful? 


BASED  ON  319  RESPONSES.  CSO  SECURITY  CHECK  IS  AN  OPEN 
WEEKLY  POLL  ON  WWW.CSOONLINE.COM. 


CSO  has  examined  the  confluence 
of  corporate  and  information 
security  starting  with  our  very  first 
issue  in  September  2002.  Below 
you’ll  find  references  to  articles  on 
holistic  security  management  as 
it  pertains  to  leadership  and 
governance,  staffing,  technology, 
threats  and  other  issues. 


Taming  the 
Two-Headed  Beast 

The  worlds  of  IT  and  physical 
security  are  colliding.  Here’s  what 
to  do  about  it.  (September  2002) 


All  Over  the  Map 

Where  does  security  fit  on  the 
organizational  chart?  CSOs  offer 
plenty  of  opinions,  but  consensus 
is  hard  to  come  by.  (June  2003) 


Get  It  Together 

John  Pontrelli,  vice  president 
and  CSO  of  Triwest  Healthcare 
Alliance,  answers  readers’  questions 
about  security  governance  and  the 
realities  of  convergence.  (May  2004) 


Yet? 


Editor  in  Chief  Lew 
McCreary  explains  it 
plainly:  “Considering 
IT  or  any  other  kind  of 
security  in  isolation 
om  the  rest  is  a  serious 
misunderstanding  of 
the  larger  purposes  of 
security  as  a  broad 
strategicactivity.” 

(December  2004) 


Out  of  Control 

Industrial  control  systems  sit 
squarely  at  the  intersection  of  the 
digital  and  physical  worlds.  They’re 
vulnerable,  they’re  unpatchable, 
and  they’re  connected  to  the 
Internet.  (August  2004) 


To  find  these  articles,  go  to 
www.csoonline.com/convergence. 
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the  advantage  of  our  in-line 

intrusion  prevention  system. 


Just  as  your  liver  eliminates  toxins  from  your  bloodstream,  our  intrusion  prevention  system  rids  your  network  of  malicious  traffic, 

filtering  out  the  constant  barrage  of  security  and  performance  threats  while  allowing  vital  information  to  efficiently  flow  through. 
Your  network  is  the  lifeblood  of  your  business.  Purpose-built  on  custom  hardware,  only  TippingPoint’s  Intrusion  Prevention  System 
meets  the  essential  security  and  performance  requirements  your  network  needs  to  thrive.  Finally,  there’s  a  security  solution 
as  advanced  as  the  networks  it  protects.. .a  solution  you  can't  live  without. 
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From  the  Editor 


With  Friends  Like  24... 


Who  needs  enemies?  The  current  season  of  L2J+,  Fox’s  weekly 
festival  of  dread,  took  an  unseemly  turn  a  couple  of  episodes 
back  when  the  fictitious  chief  security  officer  of  fictitious 


defense  contractor  McLennan-Forster  enthusiastically  perpetrated  numerous 
felonies  on  his  employer’s  behalf.  Since  security  executives  are  so  seldom  seen 
in  prime-time  dramas,  it  is  discouraging  to  see  them  depicted  as,  well,  crimi¬ 
nally  insane.  But  because  McLennan-Forster  unwittingly  employed  a  terrorist 
who  masterminded  various  atrocities  from  his  desktop  computer,  CSO  Dave 
Conlon  and  other  executives  conspire— with  the  CEO’s  blessing— to  destroy  evi¬ 
dence  and  obstruct  Counter  Terrorism  Unit  Agent  Jack  Bauer’s  investigation. 

In  the  waning  minutes  of  the  episode,  the  CSO  draws  his  sidearm  and 
pursues  Jack  and  his  vaguely  untrustworthy  comrade,  Paul,  through  the  dark¬ 
ened  offices,  believing  that  they  may  have  uncovered  something  incriminating 
(they  have!).  The  offices  are  darkened  because  Dave  has  set  off  an  electro¬ 
magnetic  pulse  (EMP)  “bomb”  in  a  desperate  effort  to  obliterate  every  last  1  and 
0  stored  on  the  company’s  networks  and  hard  drives.  Mission  accomplished! 
The  EMP  fries  the  local  power  grid  along  with  the  data,  plunging  a  section  of 
the  city  into  darkness  and  knocking  innocent  nearby  aircraft  out  of  the  sky. 

All  in  a  day’s  work  for  CSO  Dave  Conlon! 

We  asked  the  folks  at  Fox  whether  they  wouldn’t  mind  sending  Kiefer 
Sutherland,  the  actor  who  plays  Jack  Bauer,  to  our  CSO  Perspectives  confer¬ 
ence  last  week  in  Huntington  Beach,  Calif.,  just  down  the  road  from  L.A.  where 
24  is  filmed.  We  hoped  Kiefer  (who  is  also  the  show’s  co-executive  producer) 
could  explain  the  creative  impetus  for  this  plot  twist  to  a  group  of  real  security 
executives.  Fox  declined  on  Mr.  Sutherland’s  behalf.  The  week  after  the  EMP 
segment  (for  those  unfamiliar  with  the  format  of  24,  each  episode  is  a  real-time 
hour  of  a  single,  really  menacing  day),  Dave  Conlon  is  mortally  wounded  wear¬ 
ing  SWAT  gear  and  leading  a  team  of  paramilitaries  in  an  assault  on  a  sporting 
goods  store  where  Jack  and  Paul  are  barricaded.  (Said  the  boss  paramilitary  to 
Conlon:  “You  want  us  to  kill  a  federal  officer?”  Well,  yeah,  dude.)  This  occurred 
only  after  Conlon  and  his  goons  tortured  Paul  in  order  to  learn  where  he  had 
stashed  the  incriminating  materials  (this  was  Paul’s  second  tort  uring  of  the  day, 
having  been  half  electrocuted  by  Jack  some  three  hours  earlier). 


Now,  on  the  one  hand,  a  profession  can  claim  to 
have  really  arrived  at  the  point  when  it  starts  to  be 
represented  in  the  popular  culture.  On  the  other  hand, 
the  way  the  work  of  security  executives  has  typically 
been  treated  (The  China  Syndrome,  The  Firm,  Silkwood 
and  so  on)  suggests  you  may  need  an  aggressive  organi¬ 
zation  to  look  out  for  your  image  and  reputation— some 
functional  version  of  the  Italian-American  Anti- 
Defamation  League.  As  long  as  the  media  think  they 
can  safely  show  you  as  willing  instruments  of 
criminal  cover-up,  the  stereotypes  will  persist. 

So,  no,  in  the  end  Kiefer  Sutherland  didn’t  show  up  at 
the  CSO  conference.  But  something  much  more  positive 
(and  of  possible  relevance)  did  occur  last  week  in  Hunt¬ 
ington  Beach.  CXO  Media,  this  magazine’s  parent 
company,  launched  the  CSO  Executive  Council— a 
high-level  membership  group  that  will  pursue  several 
objectives:  to  develop  the  fullest,  most  coherent  set  of 
core  resources  in  basic  security  practice;  to  wrestle  with 
the  most  challenging  problems  confronting  the  security 
profession;  to  offer  a  variety  of  key  information  prod¬ 
ucts  and  tools  of  value  to  CSOs;  and  to  exert  effective 
influence  across  business  enterprises  to  enlighten  the 
C-suite  on  security  matters.  The  goal  will  be  to  bring 
greater  transparency  to  the  CSO  role.  That  way  there 
may  be  fewer  cheap  shots  taken  by  shows  like  24, 
which— since  its  whole  focus  is  on  security— really  ought 
to  know  better. 

-Lew  McCreary 
mccreary  @  cxo.  com 
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Strong  Authentication 


Strong  Authentication 
One-Time  Password 
Full  PKI  Support 


The  Authenex  A-Key  hybrid  token  offers  USB  and  one-time 
password  functionality  for  your  company’s  strong  two- 
factor  authentication  needs.  Whether  those  needs  are  VPN, 
LAN,  or  Web,  the  Authenex  A-Key  works  in  conjunction  with 
the  ASAS  authentication  server  to  offer  strong  two-factor 
authentication  with  or  without  PKI.  The  A-Key  also  provides 
128-bit  AES  encryption  and  secure  file  exchange.  The  only 
solution  that  delivers  total  mobility  and  maximum  flexibility  is 
waiting  for  you. 


e-Security 
Less  Overhead 


Hard  Disk /File  Encryption 
Secure  File  Exchange 


Available  Now! 

Get  your  free  evaluation  A-Key  now* 

Visit  us  on  the  web  at  www.authenex.com/cso 
Tel.  +1  (877)  288-4363  or  +1  (510)  324-0230 


Total  Mobility 


metdnft* 


Microsoft 

CERTIFIED 


^•riSign’ 


*  Certain  terms  and  conditions  may  apply 

©  Authenex,  Inc  All  rights  reserved  Authenex.  A-Key  and  associated  logos  are  registered  or  unregistered 
trademarks  of  Authenex,  Inc  All  other  trademarks  in  this  document  are  the  sole  property  of  their  respec¬ 
tive  owners. 
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Just  think  how  happy  your  competitor  is... 
getting  your  customer  information  for  $50  was  a  real  steal. 


Have  you  considered  the  risk  of  leaving  corporate  data  on  obsolete  computer  hard  drives  before  selling  the  equipment 
into  the  secondary  market?  When  an  old  piece  of  IT  equipment  is  sold,  donated,  or  given  to  an  employee,  your 
corporate  and  customer  information  may  inadvertently  get  into  the  wrong  hands.  Not  to  mention,  the  financial, 
competitive,  legal,  and  environmental  risk  a  technology  disposal  may  pose  for  your  organization. 

With  RetroBox,  IT  disposal  is  a  process,  not  an  event.  Our  professional  services  ensure  that  your  corporate  and 
customer  information  is  secure  and  your  environmental  liability  eliminated.  Let  RetroBox  make  IT  disposal  a 
seamlessly  managed  process  for  your  organization.  In  fact,  RetroBox  will  reduce  your  IT  disposal  costs. 


retrobox.com 


For  more  detailed  information  about  RetroBox  IT  Disposal  Services,  visit 
www.retrobox.com/inforequest.com  or  phone  800.393.7627  ext.  4805. 


Wanted:  C-Level 
Exec  with  Tech  Savvy, 
Physical  Know-How 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  S.  Carr 


Security  convergence  is  an 

idea— not  yet  a  reality.  Corre¬ 
spondingly,  the  converged 
CSO  is  a  goal  more  than  a  role.  But 
it’s  important  to  start  thinking 
about  how  to  get  to  that  place 
where  you,  the  chief  security  offi¬ 
cer,  will  oversee  a  security  group 
that  encompasses  all  aspects  of  the 
discipline.  For  thoughts  on  what  the 
converged  CSO  role  will  look  like, 
CSO  spoke  with  Pete  Metzger,  who, 
as  a  partner  in  the  Global  Security 
Practice  at  executive  search  com¬ 
pany  Heidrick  &  Struggles  Interna¬ 
tional,  helps  place  CSOs.  He  is  also 
one  of  CSO’ s  career  advisers. 


CSO:  You’ve  said  it  will  take  awhile 
before  we  see  a  converged  CSO.  Do 
you  still  think  that  and  why? 

Pete  Metzger:  Yes.  It’s  because  the 
cycle  of  responsibilities  of  CSOs  is 
moving  to  a  higher  level,  and  with 
that  come  more  responsibilities.  The 
industry  trend  is  for  management  to 
fold  more  functions  into 
the  CSO’s  domain.  One  of  those 
functions  is  infosecurity. 


Are  we  folding  in  so  many  respon¬ 
sibilities  that  we’ll  expect  too 
much  from  CSOs? 

It  depends  on  the  capability  of 
management.  But  it  also  depends 
on  the  capability  of  the  CSO.  Both 
have  to  be  honest  about  what  they 
need.  Surely,  though,  folding  the 
wrong  ingredients  in  can  make  a 
terrible  cake. 


Do  you  see  either  “side”— physical 
security  or  infosecurity— taking 
the  lead  with  convergence? 

My  personal  view  is  that  the  per¬ 
son  who  has  more  physical  secu¬ 
rity  and  threat  analysis  experience 
can  at  least  be  conversant  enough 
in  infosec  to  be  more  effective  in  a 
converged  role.  That  said,  an  argu¬ 
ment  can  be  made  the  other  way. 
But,  right  now,  if  you  look  across 
the  industry,  the  industry  looks  at 
it  that  way  too— with  physical 
security  folding  in  infosecurity. 

Currently,  it’s  hard  to  find 
experienced  people  for  CSO 
posts.  We’re  six  to  12  years  away 
from  having  a  seasoned  team  of 


people  to  implement  these  multi¬ 
disciplinary  programs.  The  busi¬ 
ness  skills  are  important,  but 
that’s  just 
another  way  of 
saying  people 
skills.  Whether 
you  can  read  a 
balance  sheet 
early  on  is  less 
important  than 
whether  you 
can  understand 
the  business. 

Can  we  expect  the  usual  culture 
clashes  on  the  road  to  conver¬ 
gence,  or  is  security  important 
enough  to  everyone  that  they’ll  be 
forced  to  get  along? 

There  are  a  couple  of  culture 
clashes  that  we’re  going  through 
now.  People  who  came  from  more 
traditional  security  backgrounds 
are  feeling  a  bit  overwhelmed  by 
the  national  scope  of  most  security 
jobs.  And  I  think  the  other  culture 
friction  point  is  when  you’ve  got 
people  who’ve  come  up  through 
different  stovepipes  who  are  now 
coming  out  of  the  same  chimney. 
That’s  not  always  harmonious. 


What  can  we  do  about  that? 

We  need  to  recognize  the  stark 
truth:  None  of  us  can  operate  inde¬ 
pendently.  We  need  to 
get  over  our  perceptions. 
Management  needs  to 
lead  by  demonstrating 
support  for  convergence. 
Reporting  relationships 
are  another  pain  point. 

To  date,  the  security  per¬ 
son  has  been  somewhere 
in  the  corporate  staff— 
either  reporting  to  HR, 
the  CFO,  CIO  or  some  other  office. 
My  view  is  that  the  security  person 
should  have  visibility  at  the  highest 
level  and  have  routine  meetings 
with  leaders  of  the  business. 

It  seems  so  cliche  that  the 
endorsement  of  management  will 
actually  help.  Will  it  really? 

If  the  person  in  charge  says, 
“Here’s  my  vision,  and  here’s  what 
I  endorse,  along  with  the  board 
and  the  shareholders,"  that’s  very 
strong.  I’m  telling  you,  it  works. 
Anytime  management  invites  you 
into  the  boat,  get  in.  It’s  a  big  deal. 

- Scott  Berinato  and  Todd  Datz 


FROM  THE  DEPARTMENT  OF  ACCESS  IS  EVERYTHING 


“Because  I  have  such  access  and  visibility 
to  the  C-level  leadership,  th^y  know  wh  at 
I’m  doing.  It’s  not  a  mystery.”  _JOHN  P0NTRELL1  cso  AT 

TRIWEST  HEALTHCARE  ALLIANCE 
(SEE  “CONVERGENCE:  THE  PAYOFF...  THE  PAIN,”  PAGE  22) 
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Spending  to  Fund 
Convergence  Rises 

Study  suggests  converged  security  projects 
will  get  more  money 

Security  projects  that  require  the  cooperation  of  IT  security 
and  physical  security  teams  are  catching  on,  according  to  a 
Forrester  Research  study.  The  research  group  asked  60  end  user 
organizations  in  Canada,  Europe  and  the  United  States  about 
their  spending  plans,  and  asked  industry  experts  and  vendors 
their  expectations  about  the  demand  for  products  or  services 
related  to  the  convergence  of  IT  and  physical  security. 

Researchers  put  these  “convergence  projects”  into  five 
categories:  large-scale  projects  (at  organizations  with  at  least 
60,000  employees  and  contractors);  access  control  projects 
that  require  the  merging  of  physical  and  logical  access  systems 
(think  of  a  building  and  computer  network  access  control  system 
that  outfits  employees  with  their  own  ID  card);  projects  performed 
jointly  by  IT  and  physical  security  staff  (the  installation  of  an 
IP-based  surveillance  network,  for  example);  projects  that  require 
smaller  amounts  of  collaboration  (such  as  for  data  center  secu¬ 
rity);  and  projects  in  the  public  sector  (such  as  border  control 
systems  and  law  enforcement  initiatives). 


SPENDING  ON  CONVERGED  SECURITY  PROJECTS 

(PER  YEAR  IN  MILLIONS) 


2004 

2005 

2006 

2007 

2008 

Public  sector 

$250 

$500 

$1,200 

$2,600 

$5,001 

Physical/logical  access  control  projects 

$30 

$90 

$248 

$542 

$994 

Large-scale  convergence  projects 

$10 

$36 

$93 

$202 

$453 

Small  projects 

$10 

$30 

$81 

$172 

$277 

Other  projects  performed  jointly  by  IT 
ana  physical  security  departments 

$10 

$35 

$92 

$191 

$315 

Total 

$311 

$691 

$1,713 

$3,707 

$7,039 

SOURCE:  FORRESTER,  “TRENDS  2005:  SECURITY  CONVERGENCE  GETS  REAL" 


New  Lessons 
in  Security 


EDUCATION  When  we  wrote  about  education  for  last 
June’s  issue  of  CSO  ( www.csoonline.com/printlinks ), 
we  said  that  a  one-stop  shop  for  CSOs  wasn’t  there  yet. 
But  that’s  changing. 

Northeastern  University’s  new  Master  of  Science  in 
Information  Assurance  debuts  this  fall  with  the  aim  of 
bridging  law  enforcement  and  technology  and  systems 
development.  And  Carnegie  Mellon  is  working  toward 
a  similar  goal  with  a  new  executive  education  program. 

Northeastern’s  program  is  sure  to  have  an  interesting 
student  body,  mixing  those  who  have  a  technical  back¬ 
ground  with  others  from  a  social  science  background. 
Northeastern  hopes  to  teach  these  groups  a  common 
language  that  they  can  take  back  to  work  with  them. 

Agnes  Chan,  associate  dean  and  director  of  the  grad¬ 
uate  school  of  computer  and  information  science  at 
Northeastern,  says  officials  from  the  National  Security 
Agency  agreed  to  partially  fund  the  development  of  the 
program  after  she  presented  it  to  them  in  January  2003. 

It  had  become  clear  to  her,  Chan  says,  that  most 
information  assurance  programs  are  technical  and 
have  a  management  component,  but  they 
lack  a  law  enforcement  compo¬ 
nent.  Northeastern’s  criminal 
justice  graduate  program  will  help 
fill  that  void,  providing  the  necessary  guidance 
and  the  professors  from  the  criminal  justice  school. ! 

Northeastern  built  its  program  after  solicit¬ 
ing  feedback  from  Boston-area  CSOs  to  help 
give  structure  and  focus  to  the  courses,  a 
process  that  will  be  ongoing.  The  master’s  pro¬ 
gram  will  be  offered  both  full  time  and  part 
time  to  accommodate  working  executives. 

The  curriculum  (see  “Northeastern  Univer- 


BY  AL  SACCO 


Pre-2000  B.C.  Cords  or  ropes  made  of  rush  and 
fiber  are  used  to  secure  doors  closed. 

2000  B.C.  The  first  mechanical  locks  made 
of  wood  and  organic  materials— such  as  earth 
and  clay— are  used  in  ancient  Egypt. 

715  B.C.  The  first  all-wooden  locks  are 
created  sometime  between  722  B.C.  and 
705  B.C. 

880  The  first  all-metal  locks  appear  between  870 
and  900.  The  locks  are  Roman-manufactured  and 


are  based  on  Egyptian  design  principles.  The 
locks  are  in  various  shapes  with  elaborate 
keys,  some  in  the  shape  of  birds  or  flowers. 

1070  The  Normans,  England's  first  knights, 
build  the  world's  first  castles,  commonly 
known  as  Motte  and  Bailey  Castles. 

1150  The  earliest  examples  of  stone  castles 
are  built  in  France.  They  are  little  more  than  a 
tower  with  a  few  windows  and  one  door,  typically 
elevated  so  that  the  stairs  can  be  lifted  inside 
during  an  attack. 
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sity’s  Converged  Curriculum,”  at  right)  will 
conclude  with  a  project  that  will  give  stu¬ 
dents  the  opportunity  to  work  on  industry 
problems.  “The  idea  of  the  final  capstone 
project  is  to  identify  current  problems  that 
corporations  and  law  enforcement  agencies 
face.  We  will  assemble  a  team  of  four  to 
five  students,  consisting  of  both  students 
who  are  interested  in  the  technical  side  and 
students  who  are  interested  in  the  legal 
and  human  issues.  The  teams  will  work 
with  the  agencies  and  the  faculty  coordina¬ 
tor  to  design  and  implement  a  solution,” 
Chan  says. 

Bonnie  Michelman,  director  of  police, 


EXECUTIVE  EDUCATION 
CLASSES  AT  CARNEGIE 
MELLON 

Smart  Budgeting,  Spending  &  Metrics 

■  Law,  Investigation,  Ethics  &  Privacy 

■  Strategic  Planning  &  Leadership 

Organizational  Management  &  Negotiation 
Strategies 


security  and  outside  services  at  Mass  Gen¬ 
eral  Hospital,  is  one  of  the  CSOs  giving 
feedback  to  the  Northeastern  program.  She 
is  an  alumnus  of  Northeastern’s  Master  of 
Criminal  Justice  program,  and  has  been 
teaching  security  management  in  that  pro¬ 
gram  since  1988.  She  says  the  new  program 
addresses  a  need  for  educating  future 
CSOs.  “The  educational  path  for  CSOs  is 
still  siloed,  which  mirrors  what’s  happen¬ 
ing  in  many  organizations.  This  is  starting 
to  change,  but  it  hasn’t  yet.  The  corporate 
setting  and  the  academic  setting  for  CSOs 
is  still  evolving,”  she  says. 

Michelman  thinks  that  folks  coming  up 
through  the  security  ranks  need  manage¬ 
ment  courses  in  areas  like  investigations, 

IS  security,  intellectual  property  loss,  work¬ 
place  violence,  physical  security  technol¬ 
ogy,  economics  and  project  management. 
Communication  skills  are  also  a  must. 
“CSOs  need  to  understand  how  to  put 
together  written  and  business  communica¬ 
tions,  like  public  presentations,”  she  says. 

In  February,  Pittsburgh-based  Carnegie 
Mellon  kicked  off  its  executive  education 
program  in  Washington,  D.C.,  with  pro¬ 
fessors  and  practitioners  teach¬ 
ing  a  broad 
range  of 
topics  (see 
Executive  Educa¬ 
tion  Classes  at  Carnegie  Mel¬ 
lon,”  at  left).  Bill  Ferguson,  manager  of 
the  CSO  Executive  Certificate  Program, 
says  education  programs  for  CSOs  will 
mature  with  the  position,  much  like 
education  for  other  C-level  roles  has 
done.  “If  you  look  at  what’s  happen¬ 
ing  in  the  security  industry,  it’s  much 
like  what  happened  to  the  CIOs  who  were 


Risk  Management  &  Business  Continuity 
Planning 


1800s  This  century  sees  much  advancement  in 
lock  making.  In  1861,  an  American  named  Linus 
Yale  Jr.  invents  the  compact  cylinder  pin-tumbler 
lock,  which  uses  Egyptian  design  principles.  In  this 
lock,  the  key  turns  a  cylinder  that  rotates  an 
attached  arm  that  shifts  the  cylinder  and  causes 
linear  motion  of  a  bolt.  Today,  the  cylinder  lock  is 
the  most  common  lock  design. 

1870s  The  first  patents  on  barbed  wire  are  filed  in 
the  United  States. 

1881  Alexander  Graham  Bell  invents  the  first 


crude  metal  detector. 

1906  Lewis  Nixon  invents  the  first  sonar-type 
listening  device  to  detect  icebergs. 

1930s  Radar,  which  stands  for  radio  detection 
and  ranging,  is  used  by  the  United  States  and 
Great  Britain  during  WWII  to  detect  enemy  air¬ 
craft.  In  1930,  engineers  from  the  U.S.  Naval 
Research  Lab  perform  measurements  of  a  radio 
antenna  and,  more  or  less  by  luck,  independently 
discover  radar.  Their  radio  link  happened  to 
stretch  across  an  aircraft  landing  strip,  and  the 


NORTHEASTERN 
UNIVERSITY’S  CONVERGED 
CURRICULUM 

The  curriculum  for  the  master’s  of  science  in 
information  assurance  at  Northeastern  Uni¬ 
versity  combines  technical  classes  and  crimi¬ 
nology  classes.  All  students  take  core  classes. 
Students  also  take  prerequisite  technical  and 
criminology  courses  to  fill  in  areas  where  their 
background  knowledge  might  be  lacking. 

■  Introduction  to  information  assurance 

■  Information  system  forensics 

■  Ethics,  privacy  and  digital  rights 

■  Applied  cryptography 

■  Computer  systems  and  networks 

■  Security  risk  management  and  assessment 

■  Capstone  project:  An  industry-related 
team  project  combining  the  backgrounds 
of  both  student  groups 

TECHNICAL  ELECTIVES 

■  Wireless  networks 

■  Database  management 

■  Cryptography  and  computer  security 

■  Software  design  and  security 

■  Computer  security  software  tools 

CRIMINOLOGICAL  ELECTIVES 

■  Forensic  computer  investigation 

■  White-collar  crime 

■  Terrorism  and  international  crime 


tech  professionals,”  Ferguson  says.  ‘They  got 
thrust  into  the  executive  and  IT  managerial 
role  without  having  the  business  and  execu¬ 
tive  skill  sets.  It  took  years  to  flesh  out  what 
those  skill  sets  were  to  make  those  CIOs 
successful.  I  see  the  same  for  the  CSO.” 

CSOs  need  the  skills  of  a  boardroom 
executive,  he  adds.  “When  we  talked  to 
CSOs,  we  saw  that  there  was  a  demand  for 
executive  ed.  They  already  have  the  techni¬ 
cal  certifications.  The  structure  of  the  pro¬ 
gram  came  from  talking  to”  leading  CSOs. 

-Kathleen  S.  Carr 


signal  quality  changed  significantly 
when  an  aircraft  crossed  the  beam. 

A  German  by  the  name  of  Heinrich 
Hertz  first  calculated  that  an  electric 
current  swinging  rapidly  back  and  forth 
in  a  conducting  wire  would  radiate  electro 
magnetic  waves  into  the  surrounding 
space. Today  we  call  such  waves  "radio 
waves,"  also  known  as  the  beginnings  of 
modern  radar  technology. 

1960s  As  early  as  1965,  press  reports 
in  the  United  States  suggest  that 
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Product  Watch 


Physical  security  products  are  all  the  rage. 

Here’s  a  look  at  some  of  the  latest  technology  innovations. 


All  Access 


•  * 


Axalto  is  one  of  the  world’s  leading  smart 
card  vendors;  the  company  developed  the 
first  microprocessor  card  in  1979  and  has 
sold  some  3  billion  of  them  to  date.  It  offers 
a  hybrid  smart  card,  based  on  its  Cryptoflex 
and  Cyberflex  technologies,  that  allows 
employees  to  use  a  corporate  ID  badge  for 
physical  access  to  buildings  and  services 
and  logical  access  to  PCs,  networks  and 
VPNs.  Other  players  in  the  smart  card  mar¬ 
ket  include  Gemplus,  HID,  and  RSA  Security. 
Axalto  ( www.axalto.com ) 

Securingthe  Supply  Chain 

Container  security  has  received  a  lot  of 
attention  since  9/11  and  with  good  reason:  In 
a  global  economy  where  millions  of  freight 
containers  are  shipped  every  year, 

terrorists  could  smuggle  a 
nuclear  or  explosive  device 
into  one  of  those  boxes 
and  slip  it  past  authorities. 
Recently,  GE  Security, 
China  International  Marine 
Containers  Group  (the 
world’s  largest  manufac¬ 
turer  of  maritime  shipping 
containers)  and  Unisys 
completed  the  first  commercial  field 
test  of  their  tamper  evident  secure  con¬ 
tainer  (TESC).  TESC  uses  a  technology 
called  an  integrated  Container  Security 
Device,  which  is  similar  to  a  highway  elec¬ 
tronic  toll  system.  (GE  licenses  it  from  All 


*■ 


Set  Marine  Security  AB  in  Swe¬ 
den.)  When  a  container  passes 
within  range  of  a  wireless  reader,  a 
security  device  integrated  into  the 
container  reveals  to  customs  and 
logistics  officials  its  location,  time 
of  arrival  and  whether  it  was 
opened  by  anybody  without 
authorization  en  route. 

GE  Security  ( www.gesecurity.com ) 

Unisys  ( www.unisys.com ) 

Secure  and  Humidify 

Integrating  security  into  building  manage¬ 
ment  systems  is  a  great  example  of  conver¬ 
gence.  Two  of  the  largest  companies  in  this 
space  are  Honeywell  and  Siemens.  Both 
offer  systems  that  integrate  building  con¬ 
trols  such  as  HVAC,  lighting,  energy  man¬ 
agement  and  fire  control  systems  with 
security  technologies— including  access 
control,  CCTV  and  alarm  monitoring.  These 
systems  give  CSOs  a  holistic  view  of  what’s 
happening  in  their  buildings. 

Honeywell  ( www.honeywell.com ) 

Siemens  ( www.siemens.com ) 

Pan,  Zoom  and  Tilt 

The  world  of  video  surveillance  is  becoming 
more  and  more  digitized;  standalone  CCTV 
systems,  though  still  widespread,  are  slowly 
giving  way  to  networked,  IP-based  cameras. 
Axis  Communications  recently  launched  two 
network  dome  cameras  that  the  company 
says  combine  the  benefits  of  a  legacy  analog 
dome  with  those  of  a  network  camera.  The 


Axis  231D  and  Axis  232D 

cameras  feature  continual 
360  degree  panning,  18X  opti¬ 
cal  zooms  and  a  90  degree  tilt 
function  for  covering  large 
areas.  The  cameras  can  be 
controlled  over  IP  networks 
such  as  the  Internet.  Axis  says 
the  cameras  are  well-suited 
for  a  variety  of  installations — 
including  manufacturing 
plants,  shopping  centers,  airports  and 
school  campuses. 

Axis  Communications  ( www.axis.com ) 


Fraud  Buster 


Banks  and  other  financial  institutions  face 
an  onslaught  of  online  criminal  activity 
meant  to  separate  cash  from  its  rightful 
owners.  To  help  combat  these  nefarious 
activities,  Cyota,  a  six-year-old  company 
that  provides  online  security  and  antifraud 
solutions  for  the  financial  sector,  has 
launched  a  product  called  eVision.  It’s  a 
fraud  management  tool  that  profiles  end  user 
behavior  using  parameters,  sensors  and  vari¬ 
ous  data  points— including  user  data,  device 
data,  transactional  data  and  Internet  data.  It 
then  uses  that  information  to  detect,  analyze 
and  score  online  banking  and  services  fraud 
in  real-time.  Cyota  may  be  on  to  something: 
Some  33  percent  of  online  users  in  the  United 
States  are  expected  to  use  online  banking 
services  by  2006,  which  will  give  the  bad  guys 
ever  more  opportunities  to  wreak  their  havoc. 
Cyota  ( www.cyota.com )  - Todd  Datz 


police  officials  begin  using  surveillance 
cameras  in  public  places.  In  1969,  police  cameras 
are  installed  in  the  New  York  City  Municipal  Build¬ 
ing  near  City  Hall. 

Metorex  Security  Products  develops  first  industrial 
metal  detectors.  These  detectors  were 
used  extensively  for  mining 
and  other  industrial  applica¬ 
tions  and  are  the  predeces¬ 
sors  to  the  technology  used 
during  the  1970s  in  airport 
metal  detectors. 


1963  The  term  hacker,  in  reference  to  a  person 
who  spends  an  exorbitant  amount  of  time  studying 
and  manipulating  computers,  is  coined  at  the 
Massachusetts  Institute  of  Technology. 

Password  encryption  is  developed  by 
Roger  Needham,  a  British  engineer  and 
computer  scientist,  at  the  Computer 
Laboratory  at  the  University  of 
Cambridge. 

1970s  Analog  technology  using 
videocassette  recordings  means 


surveillance  can  be  preserved  as  evidence.  By 
the  mid-1970s,  there  is  an  explosion  around  the 
world  in  the  use  of  video  surveillance  in  everything 
from  law  enforcement  to  traffic  control  and 
divorce  proceedings. 

September  1970  Palestinians  threaten  to  destroy 
four  hijacked  airplanes,  two  of  them  American.  In 
response,  President  Nixon  puts  sky  marshals  on 
select  flights  to  deter  hijackers. 

December  1972  The  FAA  gives  airlines  one  month 
to  begin  searching  all  passengers  and  their  bags.  A 
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Confidence  Inspired 


SECURITY' 


15+ 

Number  of  years  it's  led  the  way. 
300+ 

Number  of  products  and 
solutions  it  integrates  with. 

20,000,012 

Number  of  others  just  like  it 
distributed  around  the  globe. 


www.rsasecurity.com/securid 


@2004  RSA  Security  Inc.  All  rights  reserved  RSA,  RSA  Security,  and  SecurlD  are  either  registered  trademarks  or  tiademarks  of  RSA  Security  Inc.,  in 
the  United  States  and/or  other  countries.  Microsoft  and  Windows  are  either  registered  trademarks  or  trademarks  of  Microsoft  Corporation  in  the 
United  States  and/or  other  countries.  All  other  products  and  services  mentioned  are  trademarks  of  their  respective  companies. 


Smart  Move 


SMART  GUNS 


TECHNOLOGY  Once  upon  a  time,  a  sword  could  be 
released  from  a  stone  only  by  a  warrior  who  had  the  magic 
touch.  Today,  technology  is  replacing  magic  with  the  develop¬ 
ment  of  smart  guns. 

Dynamic  grip  recognition  (DGR)  identifies  the  unique  grip  of  a  per¬ 
son  holding  and  firing  a  gun.  “We  need  to  make  sure  that  the  only  per¬ 
son  who  can  shoot  a  gun  is  the  person  who’s  supposed  to,”  says  Donald 
Sebastian,  senior  vice  president  of  research  and  development  and  pro¬ 
fessor  in  the  industrial  and  manufacturing  engineering  department  at 
the  New  Jersey  Institute  of  Technology  in  Newark. 

Michael  Recce,  associate  professor  of  IS  and  inventor  of  DGR, 
received  a  patent  for  the  technology  in  May  2003.  Recce’s  software 
enabled  his  colleague,  Timothy  Chang,  associate  professor  of  electrical 
and  computer  engineering,  to  develop  sensors,  which  are  embedded  in 
the  grip  of  the  gun,  to  authenticate  users.  The  technology  uses  biomet¬ 
rics  to  identify,  within  one-tenth  of  a  second,  the  unique  and  recogniza¬ 
ble  hand  pressure  variations.  When  a  gun  is  held,  each  sensor  receives 
tiny  variations  of  pressure  and  creates  a  distinct  electrical  signal.  That 
signal  is  transmitted  to  a  microprocessor,  which  then  creates  a  map  of 
the  pressure  and  movement.  The  grip  pattern  is  then  stored  in  the 


Metal  Storm’s  O'Dwyer  VLe 
handgun  is  a  prototype  in 
development.  It  uses 
dynamic  grip  recognition 
technology  to  identify 
the  unique  grip  of  a 
person  holding  and 
firing  a  gun. 


microprocessor,  which  is  used  to  verify  users  in  testing  trials. 

Sebastian  says  the  research  was  initiated  to  eradicate  gun-related 
child  deaths.  Initially  funded  by  the  New  Jersey  legislature  with 
$1.5  million,  the  research  has  secured  an  additional  $2  million  during 
the  past  two  years. 

Although  a  wired  gun  with  DGR  is  currently  being  tested  in  the  lab, 
Chang  says  that  by  April  2005  an  untethered  version  with  the  embed¬ 
ded  electronics  should  be  ready.  Once  user-identification  trials  are 
complete  and  reliability  is  established,  the  next  phase  of  the  project  will 
begin— that  is,  developing  a  trigger  lock  so  that  the  gun  will  not  fire  if 
the  user  is  unauthorized.  A  commercially  available  prototype  should  be 
available  in  January  2006.  -Diann  Daniel 


Postal  Tracking 

Wireless  technology 
secures  vehicles 

WIRELESS  When  ponies 
delivered  mail,  fleet  management 
meant  keeping  everyone  in  line  at 
the  hitching  post.  Today,  the 
ponies  are  gone,  and  the  U.S. 
Postal  Service  uses  wireless 
technology  to  manage  industrial 
vehicles  that  sort  the  mail.  New 
security  applications  can  now 
monitor  and  lock  down  vehicles. 
In  January,  the  USPS  con¬ 


tracted  with  I.D.  Systems  and 
Unisys  to  develop  an  enter¬ 
prisewide  wireless  asset  tracking 
system  dubbed  Pivms,  or  Pow¬ 
ered  Industrial  Vehicle  Manage¬ 
ment  System.  The  tracking 
technology  will  help  the  USPS 
manage  industrial  vehicles  such 
as  forklifts  and  secure  460  postal 
facilities  nationwide. 

Here's  how  it  works.  Vehicles 
are  wired  with  movement  and 
impact  sensors  that  are  con¬ 
nected  to  a  wireless  transceiver 
inside  the  vehicle's  cab.  A  keypad 


log-in  on  the  hardware  links  to 
the  vehicle’s  ignition  system,  and 
to  a  management  server  at  each 
facility.  To  start  a  vehicle,  an 
employee  enters  his  or  her  identi¬ 
fication  number  on  the  keypad. 
That  information  is  then  checked 
against  an  onboard  database  of 
authorized  drivers.  An  unautho¬ 
rized  driver  cannot  start  the 
vehicle.  So  in  addition  to  tracking 
a  vehicle’s  location,  the  technol¬ 
ogy  can  control  vehicle  access. 

The  wireless  asset  tracking 
system  allows  fleet  managers  to 


control  equipment  and  vehicles 
used  by  the  USPS.  For  example, 
vehicle  collisions  were  notori¬ 
ously  difficult  to  detect  and  track 
in  busy  mail  processing  centers. 
With  Pivms,  onboard  sensors  will 
detect  the  impact  of  a  collision, 
log  it  and  identify  the  employee 
who  was  driving  the  vehicle  at  the 
time.  The  tracking  technology  is 
similar  to  systems  utilized  by 
other  companies  that  manage 
large  fleets  of  equipment,  such  as 
DaimlerChrysler,  Ford,  Target 
and  the  U.S.  Navy.  -Paul  Roberts 


( S&S  later  becomes  known  as  Dr.  Solomon  Soft¬ 
ware,  which  is  subsequently  purchased  by  Net¬ 
work  Associates.) 


metal  detector  known  as  the  magnetometer  is 
invented  by  modifying  a  device  originally  used  by 
loggers  and  lumberjacks  to  locate  pieces  of  metal 
in  lumber.  The  first  metal  detectors  commonly 
used  in  airport  are  4-  or  5-foot-long  tunnels  with 
ramps  leading  in  and  out. 

1986  Digital  creates  the  first  Internet  firewall. 

1988  Vendors  of  modern  antivirus  software 
appear,  with  IBM  leading  the  movement.  A  com¬ 
pany  called  S&S  holds  the  first-ever  virus  seminar 
that  explains  what  a  virus  is  and  how  it  works. 


1990  Laptop  computers  emerge,  creating  a  whole 
new  world  for  computer  security. 

1992  Digital  installs  the  industry's  first  commer¬ 
cial  Internet  firewall. 

Nov.  19,  2001  President  George  W.  Bush  signs 
into  law  the  Aviation  and  Transportation  Security 
Act,  which  among  other  things  establishes  a  new 


12  www.csoonline.com  April  15,  2005 


PHOTO  BOTTOM  BY  CORBIS 


Advertising  Supplement 


VolP-KNOW  THE  RISKS; 

REAP  THE  REWARDS 


VOICE  OVER  INTERNET  PROTOCOL  (VoIP),  ALSO  KNOWN  AS 

Internet  telephony,  represents  a  compelling  business  opportunity. 
Indeed,  after  years  of  hype,  VoIP  has  made  the  transition  from 
emerging  technology  to  viable  business  solution.  According  to 
industry  analyst  IDC,  the  market  for  hosted  IP  voice  services  among 
US  businesses — only  a  portion  of  the  whole  VoIP  market — is 
expected  to  record  compound  annual  growth  rates  of  282%  to 
reach  $7.6  billion  in  2008.  And,  notes  IDC  analyst  Allan  Carey, 
"There  are  many  good  reasons  to  consider  VoIP — and  many  mar¬ 
ket  participants  who  believe  this  trend  has  legs." 

But  companies  must  understand  their  risk.  "VoIP  networks 
are  getting  a  bad  security  rap,"  says  George  McBride,  managing 
principle,  security  practice  for  Lucent  Worldwide  Services. "Being 
aware  and  having  a  well  designed  network  security  plan  can 
meet  the  inherent  VoIP  vulnerabilities  head-on,"  McBride  adds. 

The  same  factors  that  make  VoIP  a  compelling  business  propo¬ 
sition — shared  IT  infrastructure,  and  plug-and-play  adaptability — 


also  present  significant  dangers.  At  a  bare  minimum,  VoIP  becomes 
vulnerable  to  disruptions  caused  by  all-too-familiar  denial  of  serv¬ 
ice  (DOS)  attacks,  viruses  and  worms — all  of  which  are  frequently 
targeted  at  IP  infrastructure.  And,  unlike  IT-oriented  resources, 
where  there  are  backup  protocols  for  key  activities  and  where 
users  have  grown  accustomed  to  occasional  service  delays,  similar 
disruptions  to  telephone  calls  would  not  be  accepted.  Gaps  in 
sound  or  deterioration  in  sound  quality,  any  noticeable  latency,  or 
actual  loss  of  signal  would  violate  the  established  intimacy  and 
trust  of  the  calling  process,  disrupting  business  and  generating  high 
volumes  of  complaints  from  internal  and  external  users.  Indeed, 
studies  show  that  voice  users  have  come  to  expect  less  than  six 
minutes  of  downtime  a  year — which  means  they  expect  at  least 
"five  9s"  reliability. 

VoIP  itself  can  also  be  specifically  targeted  for  Spam  over  IP 
Telephony  (SPIT),  and  malicious  transmission  of  obscenities  can 
be  directed  to  unwitting  telephone  users. 


INTERNET  TELEPHONY  OFFERS  COMPELLING  BENEFITS. 


BUT  DON'T  IGNORE  THE  SECURITY  RISKS. 
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LUCENT  HAS  SECURITY  SOLUTIONS 


VoIP  is  the  future  of  voice  communications.  But  "getting  it  right"  means  knowing  how  to  handle 
the  security  challenges  of  VoIP.  These  sample  recommendations  from  Lucent  may  be  useful  in 
helping  craft  an  approach  to  VoIP  security  that  is  right  for  your  organization. 

VoIP  SECURITY  CHALLENGE  EXAMPLE  OF  LUCENT-RECOMMENDED  ACTION 


Access  control 

Utilize  separate  VLANs  for  VoIP  devices 

Authentication 

Use  of  x.509  certificates  and  digital  signatures 

Availability 

Utilize  stateful  firewalls  between  the  voice 

VLAN  and  the  data  network 

Data  integrity 

Use  host  and  network  based  Intrusion  Detection 
Systems  (IDS) 

Privacy 

Disable  "Auto-Display"  of  IP-phone  network  information 

Finally,  there  are  possible  regulatory  or  legal  ramifications  if  VoIP 
transmissions  are  hacked,  tapped  or  misappropriated. 

The  good  news  is:  VoIP  has  been  around  long  enough  that 
many  of  its  risks  are  well  understood,  best  practices  are  emerging 
and  the  tools  and  techniques  for  mastering  VoIP  are  at  hand. The 
key  is  starting  with  a  complete  view  of  the  challenges,  and  then 
imposing  appropriate  controls. 

A  NEW  PARADIGM— KEEPING  VoIP  SAFE  IN  THE  FACE  OF 
UNPARALLELED  THREATS 

"The  network  is  the  lifeblood  of  a  company  and  just  as  you 
wouldn't  leave  your  front  door  unlocked  you  don't  want  to  leave 
your  prized  business  possession  unprotected,"  says  McBride. 

The  Lucent  approach  to  VoIP  security  is  largely  based  on  standards, 
many  of  which  Lucent  and  its  "innovation  engine,"  Bell  Labs,  have 
helped  to  develop  and  shape.  For  instance,  the  International  Organi¬ 
zation  for  Standardization  offers  ISO  17799,  which  provides  recommen¬ 
dations  for  information  security  management  and  provides  a  common 
basis  for  developing  organizational  security  standards  and  effective 
security  management  practices.  Similarly,  the  International  Telecom¬ 
munications  Union's  X.805  standard  defines  a  security  architecture  for 
systems  providing  end-to-end  communications.  And  NRIC,the  Network 
Reliability  and  Interoperability  Council,  provides  best  practices  guid¬ 
ance  in  a  number  of  areas  that  relate  to  VoIP  operations. 

Lucent,  with  its  unmatched  telecom  heritage  and  broad  experi¬ 
ence  can  be  a  partner  in  helping  develop  actionable  plans  and  in 
implementing  successful  VoIP  security  programs  based  on  these 
standards.  Lucent's  best  practices  include  security  policies  that  out¬ 
line  expected  behavior  and  security  awareness  of  users,  administra¬ 
tors,  managers  and  other  employees  as  well  as  security  assessments 
to  pinpoint  security  gaps,  and  to  determine  what  is  happening  in 
practice  rather  than  simply  what  may  be  documented  in  policies. 

To  master  the  challenges  of  VoIP,  Lucent  Worldwide  Services 
VoIP  Security  Services  offers: 

■  A  Lucent  Security  Assessment,  which  includes  interviews 
with  customer  staff  and  a  thorough  examination  of  potential 
exposures  or  vulnerabilities  (risks/security/reliability  related)  before 


a  VoIP  network  deployment.  The  assess¬ 
ment  also  provides  recommended  correc¬ 
tive  action,  suggested  methods  to  imple¬ 
ment  the  recommendations,  estimated 
costs  and  an  assessment  of  potential  busi¬ 
ness  impact  if  VoIP  vulnerabilities  are 
exploited.  Detailed  "drill  down"  includes 
elements  such  as  a  logical  topology  map 
(which  can  be  color  coded  by  address 
block  or  Abstract  Syntax  Notion — ASN). 
Also  included  are  methods  and  procedures 
documents  with  updated  security  poli¬ 
cies/procedures  (optional)  and  knowledge 
transfer  sessions  for  customer  staff. 

■  The  VoIP  Security  Design  and  Imple¬ 
mentation  phase  of  an  engagement  can 
include  development  of  a  security  technical  architecture  including: 
firewalls,  intrusion  detection  systems  (IDS),  authorization  and 
accounting  (AAA)  mechanisms,  systems  and  virus  protection  as 
well  as  defining  business/technical  requirements  and  service  design 
and  resource  protection. The  Design  and  Implementation  phase  usu¬ 
ally  includes  an  examination  of  fault  tolerance,  content  or  load 
management  and  a  design  review  to  ensure  that  it  supports  con¬ 
fidentiality,  integrity  and  availability  of  services  and  information 
assets.  And,  finally,  it  includes  deployment  coordination,  staging 
and  planning  for  security  systems/elements. 

■  The  VoIP  Security  Design  &  Implementation  deliverables 
range  from  detailed  lists  of  recommended  security  components  to 
actual  procurement  of  Lucent  and  third  party  hardware  and  soft¬ 
ware  security  components. 

■  Lucent's  Remote  Managed  Security  Operations  Center  (SOC) 
can  provide  managed  VPN  service  for  VoIP  networks,  managed 
firewall  service  for  VoIP  networks  and  managed  IDS  service  for 
VoIP  networks. 

Lucent  also  helps  develop  plans  for  business  continuity/disaster 
recovery,  and  security  incident  response  and  provides  its  customers 
with  the  option  of  managed  security  services  to  provide  ongoing 
configuration  of  security  infrastructures,  and  monitoring,  prevention 
and  remediation  of  vulnerabilities/incidents. 

"VoIP  Security  isn't  easy,  but  armed  with  the  right  expertise, 
tools,  processes  and  procedures,  there's  no  reason  why  a  VoIP  net¬ 
work  should  perform  any  less  reliably  than  an  organization's 
current  telephone  network,"  says  McBride.  ■ 


For  more  insights,  information  and  solutions  to  your  VoIP  security  and 
reliability  challenges,  visit  www.lucent.com/security 


VIEW  THE  LUCENT  VoIP  SECURITY  WEBCAST 


www.csoonline.com/lucentwebcast 

Please  be  sure  to  check  out  the  on-demand  webcast  featuring 
Lucent’s  George  McBride  and  IDC’s  Allan  Carey  in  an  expanded 
discussion  on  VoIP  security. 
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>>Discuss  shared  problems  and 
viable  solutions  with  fellow 
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TSA  within  the  Department  of  Transportation. 
(TSA  is  later  transferred  under  the  auspices  of  the 
Department  of  Homeland  Security.) 

Aug.  30,  2002  TSA  unveils  Smarte  Carte 
biometrics  security  lockers  for  employees  at 
the  Minneapolis/St.  Paul  International  Airport.  A 
fingerprint  verifies  the  identity  of  the  user  and 
allows  her  to  access  the  locker.  This  pilot  program 
aims  to  enhance  security  and  restore  airports  to 
normal  pre-9/11  activity,  and  is  one  of  the  U.S. 
government’s  first  pilots  involving  biometrics. 


Nov.  25,  2002  President  George  W.  Bush  signs 
into  law  the  Homeland  Security  Act  of  2002, 
establishing  the  U.S.  Department  of  Homeland 
Security  to  analyze  threats,  guard  borders  and  air¬ 
ports,  protect  critical  infrastructure,  and  coordi¬ 
nate  response  for  future  emergencies.  The  act  is 
created  in  response  to  the  9/11  terrorist  attacks. 

February  2003  The  Ready  Campaign  is  launched 
by  DHS  and  the  Ad  Council.  TV,  radio  and  print 
public  service  ads  encourage  families  to  make  an 
emergency  plan  in  case  of  a  terrorist  attack  or 
other  event.  The  ads  also  suggest  making  a  supply 


Security 


New  Heights 

Chicago’s  Sears  Tower  enlists 
physical  and  information  security  to 
protect  workers  and  visitors 


PHYSICAL  SECURITY  Visitors  to  the 
Sears  Tower  in  Chicago  might  not  think  twice 
about  going  through  metal  detectors  before 
entering  the  110-story  skyscraper.  And  once 
inside,  though  they  may  not  realize  it,  they’re 
being  monitored  by  some  of  the  most  sophisti¬ 
cated  physical  and  technological  systems 
available. 

Carlos  Villarreal,  national  director  of 
security  and  life  safety  for  Trizec  Properties, 
which  managed  the  Sears  Tower  until  May 
2004,  spent  seven  years  securing  the  world’s 
second  tallest  building  and  keeping  its 
10,000  employees  and  15,000  daily  visitors 
safe. 

“We’re  using  our  information  services 
technology  a  lot  more  now  than  we  were 
even  shortly  after  9/11,”  Villarreal  says. 

Electronic  visitor  registration  technol¬ 
ogy  now  tracks  office  visitors.  Tenants  can 
preregister  guests  on  a  secure  tenant  por¬ 
tal.  Upon  arrival,  visitors  show  a  govern¬ 
ment-issued  ID  and  are  given  an  adhesive 
paper  pass  that  indicates  what  areas  a 
visitor  can  access. 

After  business  hours,  an  imaging  sys¬ 
tem,  activated  by  a  swipe  card,  calls  up  a 
photo  and  information  about  a  worker’s 
destination.  Security  officers  check  photos 


Tower 
by  the 
Numbers 

3.8  million 

square  feet  of  office 
and  retail  space 


1.2  million 

tourists  visit  the 
Skydeck  each  year 

25,000 

people  enter  the  Sears 
Tower  daily 

1,450 

feet  measure  the  height 
of  the  skyscraper 

110 

floors  in  the  building 

104 

computerized  elevators 


against  the  worker’s  ID. 

A  sophisticated  security  command  center  inside  the 
building  and  the  entire  security  program  underwent  a 
$6  million  modernization  in  2002  to  update  the 
CCTV  monitors  that  capture  images  from  130  cam¬ 
eras  fixed  on  lobbies,  loading  docks,  stairwells  and 
the  building’s  public  Skydeck. 

Emergency  management  plans  that  were 
once  stored  in  three-ring  binders  were  moved 
to  electronic  files  housed  on  a  secure  Trizec 
database  that  could  be  accessed  via  the 
Internet  from  a  remote  location. 

Villarreal  also  “keeps  a  pulse  on  the  country” 
through  an  information  service  offered  by 
emergency  monitoring  service  NC4— The 
National  Center  for  Crisis  and  Continuity 
Coordination.  The  service  monitors  emergen¬ 
cies,  hazmat  conditions,  hazards  and  even 
traffic  patterns  and  notifies  subscribers  of 
events  via  BlackBerry  or  PC. 

Today,  Villarreal  secures  52  office 
buildings  from  Los  Angeles  to 
Washington,  D.C.,  with  125,000 
inhabitants.  He  says  the  scope  of 
security  is  widening. 

“Before  9/11  we  were  always 
focused  on  a  local  incident.  But 
now  we  have  to  think  regionally  or 
nationally,  depending  on  the  size 
of  the  company,”  Villarreal  says. 

Villarreal  can  call  up  surveillance 
camera  systems  via  the  Internet  at 
about  10  of  Trizec’s  properties. 

“It’s  good  for  corporate  security 
executives  to  know  what’s  happen¬ 
ing  at  their  facilities,”  Villarreal 
says.  “They  can  make  a  quick 
assessment,  dispatch  people, 
start  tracking  incidences  and 
keep  track  of  their  assets.” 

-Stacy  Collett 
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KEEPING  TRACK  OF  KIDS 


BIOMETRICS  Thanks  to  some  new 
technology,  keeping  your  children  safe 
and  healthy  may  get  easier.  Food  Service 
Solutions,  a  software  developer,  has  intro¬ 
duced  biometric  fingerprint  scanning  tech¬ 
nology  into  public  school  cafeterias.  The 
technology  allows  the  Penn  Cambria 
public  school  district  to  use  fingerprint 
scanning  to  keep  track  of  the  food  and 
beverages  children  choose.  The  district 
adopted  Food  Service  Solutions’  system  in 
1999  to  help  serve  their  1,800  students. 
Brenda  Bucynski  of  Penn  Cambria's  food 
services  office  says  that  fingerprint  units 
are  stationed  at  the  end  of  each  lunch  line 
in  the  high  school,  middle  school  and  ele¬ 
mentary  school.  Once  parents  prepay  for 
lunches,  they  can  see  how  their  money  is 
spent.  The  technology  allows  parents  to 
view  a  transaction  history  of  what  their 
kids  are  eating,  and  grants  anonymity  to 
students  who  are  enrolled  in  free  or 
reduced-cost  lunch  programs. 

According  to  Food  Service  Solutions, 


the  fingerprint  map  created  at 
registration  is  stored  as  a  mathe¬ 
matical  algorithm. 

The  company  is  looking  into 
expanding  the  system  so  that  it 
can  be  used  to  check  out  books 
from  libraries,  as  well  as  for  access 
control  and  attendance  tracking. 

Some  schools  are  also  exploring 
ways  to  use  the  technology  to 
track  students  on  buses.  With  a 
small  reader  just  inside  the  bus’s 
entrance,  drivers  would  be  alerted 
if  a  student  boarded  the  wrong  bus 
and  school  administrators  would 
know  which  student  is  on  which  bus  at  any 
given  time. 

Indiana-based  Synovia  has  developed 
school  bus  GPS  tracking  that  can  be  used 
with  RFID  readers  and  fingerprint  scan¬ 
ning  systems.  The  benefits  include  the 
ability  to  track  statistics  on  individual  bus 
stops,  buses  or  schools.  The  administra¬ 
tion  would  also  have  the  capability  to  cre¬ 


ate  passenger  lists  and  rider  reports 
based  on  the  data. 

Synovia’s  GPS  tracking  is  currently 
installed  in  hundreds  of  school  buses, 
mostly  in  the  Midwest.  GPS  allows  the 
administration  to  track  the  stop  times, 
speed  and  location  of  all  their  buses. 
Schools  and  parents  can  be  alerted  to  any 
delays.  -Margaret  Locher 


The  Sting  of 
Virtual  Warfare 

SIMULATIONS  Battlefield  sim¬ 
ulators  have  become  so  advanced  in  the 
past  few  years  that  soldiers  can  not  only 
see  and  hear  conflict,  they  can  feel  it. 

VirTra  Systems,  a  simulation  training 
company,  filed  three  patents  in  Decem¬ 
ber  on  its  new  IVR-4G  combat-readiness 
simulator.  The  4G  stands  for  fourth-gen¬ 
eration  warfare.  This  series  of  products 
is  intended  to  meet  the  needs  of  com¬ 


batants  training  for  today’s  urban  battle¬ 
fields,  where  the  enemy  uses  guerrilla 
tactics  and  hides  within  civilian  popula¬ 
tions.  The  IVR  simulators  can  recreate 
up  to  a  360-degree  battlefield  environ¬ 
ment  where  soldiers  working  alone  or  in 
groups  of  up  to  six  can  practice  various 
scenarios.  Among  the  patent-pending 
features  is  the  simulator’s  use  of  a 
hybrid-CGI  software  that  allows 
instructors  to  create  their  own  training 
scenario  using  video  or  computer-gener¬ 
ated  images  with  3-D  sound  and  a  teth¬ 
erless  recoil  kit  that  turns  a  soldier's 
own  M-16  into  a  wireless  laser-based 


training  weapon  with  a  realistic  recoil. 

The  most  intriguing  aspect  of  this 
simulator  is  an  innovation  that  VirTra 
calls  a  "threat-fire  belt.”  During  training, 
a  participant  can  strap  this  belt  around 
his  waist,  which  will  deliver  an  electric 
stun  pulse  if  he  is  wounded  during  the 
scenario-anything  from  a  small  charge 
to  one  strong  enough  to  knock  the  par¬ 
ticipant  down.  As  you  might  imagine, 
this  raises  the  stakes  for  trainees  con¬ 
siderably.  Kelly  Jones,  CEO  of  VirTra 
Systems,  sees  the  threat-fire  belt  as  a 
means  of  creating  an  ultra-realistic 
training  experience.  “Otherwise  it’s 


just  a  computerized  program  where 
participants  try  to  learn  but  there’s  no 
downside  to  failure,”  says  Jones.  When 
using  the  belt,  Jones  notes  that  trainees 
report  elevated  blood  pressure  and 
sweaty  palms,  just  as  they  might  in  a 
real  situation.  So  far  VirTra  has  sold  and 
installed  these  simulators  at  some  Air 
Force  locations,  has  shipped  one  to  the 
Army  and  one  to  a  classified  inter¬ 
national  location.  That  might  not  sound 
like  booming  sales,  but  with  a  price  tag 
of  anywhere  between  $80,000  to 
$120,000  per  simulator,  realism  doesn’t 
come  cheap.  -Daintry  Duffy 


kit  (plastic  sheeting  and  duct  tape,  water,  medi¬ 
cines,  flashlights  and  so  on)  and  gathering  impor¬ 
tant  documents. 

Summer  2003  In  July,  TSA  begins  the  Registered 
Traveler  Pilot  Program  in  Minneapolis  and  Los  Ange¬ 
les.  In  August,  the  program  is  launched  at  George 
Bush  Intercontinental  Airport  in  Houston  in  conjunc¬ 
tion  with  Continental  Airlines.  Approved  registered 
travelers  are  directed  to  a  designated  checkpoint 
lane  where  they  provide  their  Registered  Traveler 
Smart  Card  containing  biometric  information  (a  fin¬ 
gerprint  and  iris  scan)  for  identity  confirmation. 


Jan.  5,  2004  The  first  phase  of  the  DHS  US-Visit 
program  is  launched  when  the  department  deploys 
biometric  capabilities  at  115  airports 
and  14  seaports.  As  part  of  US-Visit, 
foreign  travelers  have  both  index  fin¬ 
gers  scanned,  and  a  digital  photo¬ 
graph  is  taken.  A  biometric 
departure  confirmation  system 
is  tested  at  two  locations. 


May  3,  2004  TSA  announces  that 
eight  airports  have  been  selected  to 
participate  in  TSA’s  Access  Control 


Pilot  Program,  which  tests  radio  frequency 
identification  (RFID)  technology,  “antipiggy- 

_ _  backing”  technology 

(which  prevents  an 
unauthorized  person 
from  sneaking  in 
behind  an  authorized 
one),  advanced  video 
surveillance  technology 
and  various  biometric 
technologies.  ■ 
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Our  Special  Report  on  Security  Convergence 
sees  opportunity  and  mevitability 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 
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PLAY  CEO  FOR  A  MOMENT.  (C’mon,  you’ve  always  wanted  to.) 

Three  weeks  before  you  announce  your  next-generation  product— representing 
three  years'  investment  of  R&D  sweat  equity,  not  to  mention  big  bucks— the 
senior  VP  of  sales  is  in  your  office,  irate.  He  says  your  biggest  competitor  is  beat-; 
ing  you  to  the  punch  with  a  nearly  identical  product.  Cosmetic  differences  only. 
This  is  no  coincidence.  The  competition  has  pilfered  your  intellectual  property. 


An  army  of  lawyers  firing  a  salvo  of  lawsuits 
may  or  may  not  stop  the  enemy  launch.  But  your 
company  has  a  more  insidious  problem  on  its 
lands,  which  is  to  figure  out  how  this  theft  hap- 
;  iened  and  to  stop  it  from  happening  again.  So 
low  exactly  did  your  IP  walk  out  the  door? 

There  are  at  least  a  dozen  possibilities,  some  of 
them  physical,  others  network  related;  some  are 
purposeful  and  criminal,  others  the  result  of  mere 
carelessness.  The  problem  is  that  in  most  compa¬ 
nies,  you’d  have  to  interrogate  at  least  a  half-dozen 
department  heads  to  begin  to  address  all  the  pos¬ 
sibilities  and  plug  the  holes.  Intellectual  property 
protection  is  a  task,  or  a  set  of  tasks,  that  doesn’t 
:  'all  neatly  and  completely  under  a  single  branch  on 
the  traditional  org  chart. 

Corporate  security  can  tell  you  whether  doors 
have  been  left  ajar,  but  network  accounts?  That’s 
a  question  for  the  IT  guys.  And  they’ll  tell  you  that 
when  hard-copy  drafts  of  research  in  progress 
started  rolling  off  the  printers  in  the  graphics 
department,  they  effectively  rolled  out  of  IT  secu¬ 
rity’s  bailiwick.  For  a  recent  illustration  of  how  a 
fly  ball  can  fall  into  the  gap  between  outfielders, 
ook  no  further  than  February’s  disclosures  by 
ChoicePoint  and  Bank  of  America.  At  Choice- 
Point,  the  CISO’s  widely  disseminated  statement 
(essentially,  that  the  perpetrators’  posing  as  cus¬ 
tomers  to  gain  access  to  consumer  data  wasn’t  an 
IT  security  issue,  it  was  fraud)  was  both  technically 
accurate  finger-pointing  and  of  absolutely  no  inter¬ 
est  to  identity  theft  victims  who  just  wanted  their 
personal  data  kept  safe.  And  Bank  of  America  lost 
in  transit  a  set  of  backup  tapes  containing  a  gold 
mine  of  customer  data. 

Big  companies  typically  put  together  a  cross- 
functional  investigation  team  to  address  situa¬ 
tions  like  our  hypothetical  IP  theft  case.  And 
investigations  (whether  of  an  IP  leak,  a  fraud,  a 
workplace  violence  threat,  a  rumored  interoffice 
pornography  incident  or  some  other  malefaction) 


provide  a  glimpse  into  the  concept  of  conver¬ 
gence— also  known  as  integrated  or  holistic  secu¬ 
rity  management.  Quite  a  few  leading-edge 
companies  have  come  to  a  conclusion  that’s  as 
obvious  to  its  practitioners  as  it  is  unthinkable  to 
those  stuck  in  a  stovepiped  mentality:  Investiga¬ 
tions  come  after  something  bad  has  already  hap¬ 
pened.  Why  not  apply  the  same  principles  of 
cooperation  before  something  bad  happens?  Why 
not  bring  security-focused  departments  together 
proactively,  aggregating  their  information  and 
expertise  to  look  at  operational  risk  as  a  unified 
picture  and  create  a  security  plan  that  is  more 
effective,  more  cost-efficient  and  more  credible  to 
upper  management? 

Skeptics— and  there  are  many— have  a  list  of 
Why  Nots:  cultural  rifts,  differing  skill  sets,  ter¬ 
minology  barriers,  salary  gaps.  This  special  issue 
of  CSO  constitutes  an  in-depth  examination  of 
holistic  security  management  and  whether  those 
Why  Nots  can,  and  should,  be  overcome.  Senior 
Editors  Todd  Datz  and  Sarah  D.  Scalet  put  the 
screws  to  a  score  of  convergence  advocates.  We 
challenged  them  to  prove  the  payoff  in  concrete 
terms  (see  “The  Payoff,”  Page  24).  We  grilled 
them  on  the  stumbling  blocks  and  the  pain  points 
experienced  as  they  brought  together  various 
security  functions  (see  “The  Pain,”  Page  29).  And 
we  dug  in  for  an  in-depth  case  study  of  a  big  util¬ 
ity  company  (see  “Security  2.0,”  Page  34)  under¬ 
taking  a  particularly  ambitious  organizational 
convergence  effort. 

These  are  CSOs  who  have  guided  convergence 
efforts  in  the  real  world,  and  the  arguments  they 
present— combined  with  trends  in  technology  and 
the  threats  facing  the  corporate  world  today— 
compellingly  make  the  case  that  convergence, 
properly  defined,  is  inevitable.  And  worthwhile. 

Better  security.  Better  risk  oversight.  Lower 
cost.  Why  not,  indeed? 

-Derek  Slater 
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Now  is  the  time  to  consider'  what 
convergence  is— and  what  it  isn’t 


GENTLY  PROD  A  CONVERGENCE  CONSCIENTIOUS  OBJECTOR,  AND 
what  you  often  discover  is  a  misconception  about  what  the  term 
means. 

Convergence  does  not  mean  ripping  the  IT  security  group  out  from 
under  the  CIO  and  stapling  it  to  the  hindquarters  of  the  corporate 
security  group,  where  a  70-year-old  ex-cop  security  manager  can 
proceed  to  ignore  it.  Neither  does  it  mean  piling  contract  guard 
management  on  the  already  overloaded  plate  of  a  horn-rimmed, 
twentysomething  firewall  jockey  who  thinks  “shredding”  is  strictly  a 
snowboarding  reference. 

Those  aren’t  convergence;  they  are  merely  dumb  ideas.  And  like  a 
lot  of  dumb  ideas— rooted  in  an  insufficient  respect  for  reality— they 
provoke  objections  that  miss  the  point,  such  as:  “IT  security  is  too 
complicated  and  important  to  entrust  to  those  ‘guns  and  holsters’ 
guys.”  Or  “How  can  a  technogeek  possibly  manage  an  executive  pro¬ 
tection  strategy?”  (For  a  list  of  five  common  convergence  objections 
just  begging  to  be  overruled,  go  to  www.csoo7iline.com/piintlinks.) 

It  may  be  more  revealing  to  think  in  terms  of  integrated  or  holistic 

BY  DEREK  SLATER 


lonvergence 

What  it  IS: 

Integrating  historically 
stovepiped  functions  of 
operational  risk  management 
to  achieve  better  security, 
oversight  of  enterprisewide 
risk  and  cost  efficiencies. 

What  it  ISN’T: 

Putting  IT  security  under 
the  thumb  of  the  physical 
security  group,  or  vice  versa. 
(This  common  misconception 
is  responsible  for  much  of  the 
resistance  to  convergence 
today.) 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 
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security  management.  In  fact,  while  physical 
and  information  security  are  the  cornerstones 
of  holistic  security,  they  aren't  the  whole  ball  of 
wax.  Depending  on  which  industry  they  serve, 
CSOs  need  visibility  into  fraud  and  loss-pre¬ 
vention  efforts,  investigations,  process-control 
systems,  business  continuity,  pieces  of  regula¬ 
tory  compliance,  some  aspects  of  the  human 
resources  function  and  audit. 

But  reworking  the  organizational  chart  isn’t 
really  the  end  goal,  according  to  Timothy 
Williams;  it’s  just  one  possible  means  of  estab¬ 
lishing  the  necessary  accountability  and 
processes  that  make  security  effective. 
Williams  is  the  CSO  at  Nortel  Networks, 
where  he  has  been  leading  a  centralized,  mul¬ 
tifaceted  security  program  since  1990. 

“Convergence  doesn’t  necessarily  mean 
reporting  relationships.  It’s  about  how  we 
manage  risk  and  the  processes  between  the 
domains,”  he  says.  A  case  of  intellectual  prop¬ 
erty  theft  doesn’t  fit  neatly  into  any  of  the 
domains  of  IT,  corporate  security  or  legal;  it 
crosses  all  of  these  functions  (see  “Taking 
Leadership  to  a  New  Level,  Page  16).  To 
Williams,  convergence  is  about  “what  we  are 
doing  to  make  sure  we’re  not  creating  or  miss¬ 
ing  an  interdependency  between  the  various 
areas.”  In  some  cases,  the  CSO  (by  whatever 
title  he  or  she  goes)  has  direct  oversight  of 
two  or  three  branches  of  security,  plus  dotted- 
line  reports  to  well-placed  employees  in  other 
branches.  Which  lines  are  dotted  and  which 
are  solid  can  depend  on  the  circumstances 
and  priorities  of  each  company,  and  on  the 
expertise  of  the  CSO.  Steve  Hunt,  a  CPP-tot- 
ing  former  Forrester  Research  analyst,  goes  so 
far  as  to  say  the  leadership  role  is  best  handled 
by  a  committee,  an  idea  he  says  is  gaining 
traction  particularly  in  Europe.  Hunt  says  he 
has  seen  it  work,  though  it’s  worth  noting  that 
leadership  by  committee  generally  has  a 
checkered  history  in  the  corporate  world. 

Having  noted  that  convergence  isn’t  accom¬ 
plished  by  remaking  reporting  relationships, 
Williams  circles  back  to  reemphasize  that  con¬ 
vergence  is  not  the  same  as  “having  lunch  once 
in  a  while.  That  doesn’t  get  the  job  done, 
because  there’s  no  accountability,”  he  says. 
Whatever  the  reporting  matrix,  holistic  secu¬ 
rity  has  to  be  institutionalized  and  cooperation 
formalized  in  a  set  of  processes. 


THE  CONVERGENCE  MOMENTUM  THEORY: 

Why  Resistance  Is  Futile 

UNDERLYING  THE  GROWTH  OF  HOLISTIC  SECURITY  MANAGEMENT 
ARE  FIVE  OTHER  MARKERS  OF  CONVERGENCE 


1.  Technology  convergence. 

Corporate  security  services— video 
surveillance,  access  control,  fraud  detec¬ 
tion— are  increasingly  database-driven  and 
network-delivered.  In  other  words,  IT  is  ever 
more  tightly  woven  together  with  physical 
security.  “Something  as  straightforward  as 
a  badge  control  system  may  operate  more 
efficiently  if  you  design  your  network  to 
accommodate  it,”  says  Timothy  Williams, 
CSO  of  Nortel  Networks. 

2.  Vendor  convergence. 

Not  so  long  ago,  infosec  vendors  protected 
networks,  and  physical  security  vendors 
protected  bricks  and  mortar,  and  the  twain 
never  met.  Now  a  growing  roster  of  security 
companies  operate  in  both  spaces,  as  well 
as  in  other  risk-related  areas.  Brink's,  the 
armored  car  company,  now  offers  managed 
network  security  services.  Unisys,  the  for¬ 
mer  mainframe  purveyor,  has  a  consulting 
business  in  supply  chain  security.  Software 
giant  Computer  Associates  is  mixing  with 
smart-card  vendors  like  HID  in  the  Open 
Security  Exchange  consortium,  developing 
a  network-and-building-access  standard 
called  Physbits.  Kroll,  historically  a  physical 
security  services  provider,  owns  Ontrack 
Data  Recovery. 

Bill  Hancock,  CSO  and  vice  president  of 
global  security  solutions  at  Savvis,  points 
out  that  this  is  a  very  rudimentary  form  of 
convergence;  having  one  foot  in  each  of 
two  ponds  doesn’t  mean  you  know  how  to 
swim.  Nevertheless,  he  expects  vendors  to 
continue  to  merge  and  meld  these  distinct 
product  lines  into  more  tightly  integrated 
offerings.  And  aside  from  these  well-known 
companies  with  roots  in  one  discipline  or 
the  other,  a  growing  fleet  of  smaller  vendors 
now  present  all  kinds  of  interesting  exam¬ 
ples  of  cross-functional  services.  Green- 
Tech  Assets  is  an  interesting  illustration, 
offering  a  computer-disposal  service  that 
blends  physical,  digital,  legal  and  insurance 
safeguards  against  potential  liabilities 


created  by  inadvertently  dumping  hard 
drives  and  other  technology  assets  contain¬ 
ing  sensitive  financial  or  customer  records. 

3.  Community  convergence. 

Security  is  an  association-driven  world, 
and  for  years  the  associations  gave  little 
acknowledgement  of  each  other’s  exis¬ 
tence.  That  changed  in  a  big  way  in  2004 
and  2005,  notably  with  a  statement  of 
solidarity  from  CISSP  promulgator  (ISC)2 
(in  the  infosec  corner),  CPP  certifier  ASIS 
International  (from  the  corporate  security 
side)  and  IS  audit  association  ISACA. 
Observers  such  as  Williams  (who  is  active 
in  ASIS)  anticipate  ever  more  concrete 
cooperation  between  these  communities 
over  the  near  term. 

4.  Threat  convergence. 

Hancock,  among  other  experts,  has  been 
sounding  the  klaxons  about  the  idea  of 
blended  threats  (combined  physical  and 
logical  attacks)  for  some  years.  The  most 
likely  scenario  is  a  physical  attack  (such  as 
9/11)  with  its  effect  multiplied  by  concurrent 
denial-of-service  digital  attacks  aimed  at 
telecommunications  or  other  infrastructure. 
This  scenario  becomes  more  likely  as  digital 
controls  become  more  and  more  prevalent 
for  physical  systems.  Hancock  tells  of  a 
company  that  extolled  its  foresight  in 
implementing  a  door-lock  system  at  head¬ 
quarters  requiring  verification  of  digital 
certificates  to  allow  employees  to  enter. 
Hired  as  a  consultant,  Hancock  used  his 
laptop  to  launch  a  “mini-DDoS"  attack 
against  the  server  that  handled  the 
verification.  Throughout  the  building  the 
door  locks  stopped  working. 

5.  Educational  convergence. 

This  trend  is  just  picking  up  steam,  but 
universities  such  as  Carnegie  Mellon  and 
Northeastern  have  launched  programs 
aimed  at  equipping  students  with  a  portfolio 
of  knowledge  and  skills  in  both  corporate 
and  information  security. 

-D.S. 


20  www.csoonIine.com  April  15,  2005 


Appropriate  leadership  is  a  vital  compo¬ 
nent.  For  starters,  the  leader  of  a  converged 
department,  regardless  of  personal  back¬ 
ground,  must  aim  to  raise  the  prominence  of 
all  branches  that  fall  under  his  purview.  Con¬ 
stellation  Energy  Group  CIO  Beth  Perlman, 
who  handed  the  reins  of  information  security 
to  ex-Marine  John  Petruzzi,  sums  it  up:  “If 
you  don’t  trust  the  person  you’re  giving  the 
group  to,  forget  it;  it  will  never  work.”  But 
Perlman  and  Petruzzi  established  that 
mutual  trust,  and  the  Constellation  technical 
security  employees  who  left  Perlman’s  group 
to  join  Petruzzi’s  feel  that  they  are  now  more 
visible  to  upper  management  (see  “Security 
2.0,”  Page  34). 

Another  key  leadership  requirement, 
Williams  adds,  is  the  ability  to  articulate 
security  and  risk  issues  in  the  context  of  busi¬ 
ness  activities  and  in  the  language  of  the  cor¬ 
porate  boardroom.  Williams  himself  finished 
an  MBA  degree  to  acquire  the  necessary 
skills. 

Constellation  Energy’s  CEO,  Mayo  A. 
Shattuck  III,  describes  integrated  security 
management  as  part  of  a  top-down  approach 
to  getting  a  handle  on  an  organization’s  expo¬ 
sure  to  risk.  But  just  as  often,  the  seeds  are 
planted  at  the  tactical  level. 

Children’s  Hospital  in  Boston  has  a  com¬ 
plicated  workforce.  It’s  a  teaching  hospital,  so 
in  addition  to  normal  staff  turnover,  new 
physicians  come  and  go  “in  waves,”  according 
to  CISO  Paul  Scheib.  Some  doctors  are  actu¬ 
ally  employees  of  various  foundations  rather 
than  of  the  hospital  itself.  To  help  keep  pace 


“If you  don’t  trust 
the  person  you’re 
giving  the  group 

to,  forget  it;  it  will 
never  work.” 

-BETH  PERLMAN, 
CIO,  CONSTELLATION  ENERGY  GROUP 

with  creating  and  managing  new  network 
accounts  and  assigning  the  right  privileges, 
the  hospital  first  implemented  password- 
management  software  and  later  a  more  com¬ 
plete  identity-management  suite  from 
Courion. 

While  the  impetus  was  on  the  hiring  end 
of  the  employee  lifecycle,  Scheib  says  a  big- 
payoff  is  that  access  can  be  shut  off  in  a 
more  timely  manner  when  an  employee 
leaves  the  organization.  And  Scheib  finds 
himself  working  closely  with  the  hospital’s 
physical  security  group  to  integrate  door 
access  badges  into  the  identity  management 
approach.  In  the  past,  Scheib  notes,  “we 
had  our  information  and  they  had  theirs”— 
there  was  very  little  sharing  of  information. 
“Now  we’re  working  on  a  metadirectory 
project  and  starting  to  map  both  physical 
and  infosecurity  data  and  to  define  roles 
that  require  physical  access  to  high-security 
areas  such  as  surgical  suites.”  Children’s 
Hospital  has  no  organizational  initiative 


dubbed  “convergence”;  it’s  just  security  peo¬ 
ple  recognizing  the  efficiencies  of  working 
together. 

As  Williams  says,  good  security  is  about 
closing  the  gaps  between  corporate  func¬ 
tions.  Anyone  who  thinks  that  convergence 
is  a  new  idea  or  a  fad  hasn't  been  paying 
close  attention  to  history.  Today’s  corporate 
security  department  is  an  evolution  of  what 
used  to  be  referred  to  as  physical  security; 
over  time,  forward-thinking  practitioners 
demonstrated  the  value  of  putting  surveil¬ 
lance,  fraud  investigations,  executive  pro¬ 
tection,  and  an  assortment  of  other  activities 
(each  requiring  different  knowledge  and 
skills)  under  a  single  umbrella.  The  infor¬ 
mation  security  group  of  today  represents  a 
similar  evolution  of  old-style  IT  security 
groups,  who  eventually  realized  that  pro¬ 
tecting  just  the  network  doesn’t  keep  infor¬ 
mation  entirely  secure  and  that  nontechnical 
measures  (notably  employee  education) 
have  to  be  part  of  the  equation. 

Achieving  convergence,  at  the  organiza¬ 
tional  level,  will  not  be  easy.  Nor  is  there  one 
right  way  to  draw  up  the  org  chart  for  every 
company.  But  convergence  is  inevitable  (see 
“The  Convergence  Momentum  Theory:  Why 
Resistance  Is  Futile,”  at  left).  As  Williams 
says,  “If  you  bring  this  discussion  to  anyone  in 
the  C-suite,  they’ll  define  convergence  just 
the  way  we’re  talking  about  it.  And  that’s  the 
real  litmus  test.” 

Weil  know  we’ve  arrived  when  we  can  just 
call  the  function  “Security,”  with  no  modifiers 
needed.  ■ 
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The  benefits  of  running  a  unified  security  operation  are 
real.  CSOs  say  they  can  lead  their  functions  to  be 
more  effective  and  save  money  at  the  same  time.  But 
getting  there  is  tough.  It  means  overcoming  the 
challenges  posed  by  executives  who  don’t  buy  the 
idea,  and  staff  who  will  resist  you.  Here’s  a  guide  to 
understanding  both  the  upside  and  the  hurdles  to 
holistic  security  management. 

BY  TODD  DATZ 
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It  didn’t  take  long  for  the  reorganization 
to  bear  fruit.  Some  three  months  into  his 
tenure,  a  large  identity  theft  ring  began  hitting 
credit  reporting  agencies  and  was  attempting 
to  penetrate  Equifax’s  networks.  Mecsics  and 
his  team  went  to  work— they  set  up  a  plan, 
mapped  out  the  bad  guys’  architecture  and 
worked  closely  with  the  FBI.  Soon  they  pin¬ 
pointed  the  intermediary  company  where  the 
breach  was  taking  place.  (A  former  help  desk 
employee  at  the  intermediary  company  had 
stolen  user  codes  and  passwords  and  sold 
them  to  more  than  a  dozen  mostly  Nigerian 
nationals  in  the  New  York  City  area.)  At  the 
end  of  2002,  the  U.S.  attorney’s  office  in  New 
York  arrested  the  culprits,  putting  a  stop  to 
what  it  said  was  the  largest  identity  theft  ring 
in  the  country  (some  30,000  identities  were 
stolen). 

“That  was  a  pure  example  of  [the  benefit 
of]  us  having  everything  under  one  umbrella,” 
says  Mecsics.  “I  had  the  ability  to  bring  the 
data  and  fraud  folks  and  everyone  else 
together  and  come  up  with  a  cohesive  strat¬ 
egy,”  he  says. 

Mecsics  didn’t  have  to  get  authorization 
from  people’s  bosses  to  work  on  the  converged 
effort.  He  had  the  authority,  he  acted,  and  the 
coordinated  security  groups  worked  to  the 
company’s  benefit.  (Mecsics  left  Equifax  last 
year  and  now  works  as  a  senior  security  ana¬ 
lyst  at  SAIC,  a  research  and  engineering  com¬ 
pany.) 

Improved  collaboration  among  security 
functions  is  just  one  of  the  payoffs  of  conver¬ 
gence.  Others  include  better  alignment  of 
security  with  business  operations,  establishing 
the  CSO  as  a  single  point  of  contact  for  all 
security  issues,  the  opportunity  to  cross-train 
employees,  increased  information-sharing 
that  leads  to  more  efficient  problem  solving 
and,  if  you’re  trying  to  convince  otherwise 
skeptical  execs  of  why  convergence  is  worth 
doing,  you  can  pull  out  your  trump  card:  cost 
savings. 

What’s  not  to  like  about  that?  In  this  story, 
security  executives  at  BWX  Technologies 
(BWXT),  EDS,  Level3  Communications, 
Pemco  Financial,  Rohm  and  Haas,  SAIC, 
Triwest  Healthcare  Alliance,  United  Rentals 
and  Wells  Fargo  talk  about  why  they’ve  con¬ 
verged  and  the  payoffs  they’ve  achieved  from 


The  Payoff 

Executive-level  backing  and  a  mandate  to  run  one  operation  for  all 
security  functions  gives  CSOs  the  chance  to  create  more  effective 
teams.  And  did  we  mention  the  part  about  saving  money? 


TALK  TO  JIM  MECSICS  ABOUT  THE 

benefits  of  convergence,  and  you’ll  first  have  to 
stomach  a  metaphor  about  belly  buttons.  At 
the  end  of  the  day,  says  Mecsics,  if  there’s  a 
security  problem,  the  CEO  is  going  to  jab  Mec¬ 
sics’  belly  button,  hold  him  accountable  and 
say,  “Fix  it.” 

His  point:  In  a  converged  security  organi¬ 
zation,  there’s  only  one  button  to  push— exec¬ 
utives  don't  have  to  contemplate  whether  to 


call  the  corporate  security  director  or  head  of 
IT  security  or  the  facilities  manager  when  they 
have  a  security  issue. 

More  on  that  later. 

Mecsics  arrived  on  the  job  at  credit  bureau 
Equifax  in  2002  with  a  mandate  to  create  a 
corporate  security  program— to  bring  together 
previously  disparate  pieces  of  security,  includ¬ 
ing  physical  and  information  security,  under 
one  roof. 


STEPHEN  BAIRD,  VP  of  corporate  security  at 
United  Rentals,  is  the  company’s  single  point 
of  contact  for  all  security  matters. 
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reorganizing  their  security  departments  to 
better  meet  the  needs  of  their  businesses. 

Payoff  #1 

A  comprehensive  security 
strategy  better  aligns  security 
goals  with  corporate  goals 

Most  CSOs  these  days  would  agree  that  secu¬ 
rity  should  dance  cheek  to  cheek  with  the 
needs  of  the  business.  In  a  post-9/11  world, 
companies  that  hold  onto  the  traditional  view 
of  security  as  just  another  cost  center  are  fail¬ 
ing  to  recognize  the  importance  of  security  to 
day-to-day  business  activities. 

When  Marshall  Sanders,  vice  president  of 
corporate  security  and  CSO  (and  who  served  as 
the  founding  director  of  security  for  President 
Reagan’s  strategic  defense  initiative  program  in 
the  ’80s),  joined  Level3  Communications  in 
1999,  he  had  a  mandate:  establish  a  compre¬ 
hensive  security  architecture. 

Sanders’  mission  was  made  easier  because 
senior  executives  at  the  company  viewed  secu¬ 
rity  as  a  key  enabler  for  the  business.  “We’re  a 
network  services  provider— we’re  all  about  net¬ 
work  availability.  If  the  network  isn't  available 
due  to  a  logical  or  physical  incident,  it’s  a  rev¬ 
enue-impacting  event.  So  security  was  seen  by 
our  [company  leaders]  as  an  integral  compo¬ 
nent  of  the  business  architecture,”  he  says. 

A  corporate  risk  management  council, 
comprising  Sanders  and  other  senior  execu¬ 
tives,  forms  the  basis  for  an  integrated  secu¬ 
rity  governance  structure  and  helps  keep 
security  top-of-mind  at  Level3  (see  “Security 
Committee,”  Page  28).  “It’s  critical  to  have 
top-down  sponsorship,”  Sanders  says,  adding 
that  in  his  case,  the  CEO  “realized  security 
needed  to  be  integrated  into  the  architecture 
of  the  business.”  The  council,  an  audience 
for  updates  on  physical  and  logical  security, 
business  continuity  and  disaster  recovery 
exercises,  is  critical  to  driving  this  agenda, 
he  says.  “It  can  provide  an  enterprisewide 
perspective  and  accountability  for  managing 
the  risks  to  the  business;  so  then  security 
becomes  not  just  security’s  problem— it’s  a 
business  concern.” 

Sanders  defines  convergence  as  the  inte¬ 
gration  of  logical,  information,  physical  and 
personnel  security;  business  continuity;  dis¬ 
aster  recovery;  and  safety  risk  management. 


(Logical  security  focuses  on  the  tools  in  a  net¬ 
work  computing  environment;  information 
security  focuses  on  the  flow  of  information 
across  both  the  logical  and  physical  environ¬ 
ment.)  Cost  savings  is  one  of  the  important 
payoffs  in  this  holistic  security  strategy. 
Because  there’s  always  some  duplication  in  a 
stovepiped  security  organization— in  overhead 
and  programs,  for  example— it’s  more  cost- 
effective  to  manage  an  integrated  one.  Not 
only  that— duplication  can  lead  to  unproduc¬ 
tive  turf  battles  among  security  groups  for 
resources,  he  adds. 

Does  eveiy  company  need  to  converge  to 
effectively  integrate  security  with  the  overall 
goals  of  the  business?  Not  necessarily.  Some 
companies— for  example,  small  organizations 
that  may  not  need  a  CSO— operate  fine  with 
separate  information  and  physical  organiza¬ 
tions,  says  Ed  Telders,  CSO  at  Pemco  Insur¬ 
ance.  In  others,  Telders  notes,  the  lack  of 
effective  convergence  is  a  problem.  “I  tell  peo¬ 
ple  to  do  a  risk  assessment  of  the  organization, 
do  a  cost-benefit  of  having  two  groups  versus 
one,  and  make  decisions  based  on  business, 
not  politics  or  anything  else,”  he  says. 


Payoff #2 


The  CSO  can  be  a  single  point 
of  contact 


Bringing  together  different  security  silos  into 
one  big,  happy  family  and  running  the  com¬ 
bined  organization  can  be  a  lot  easier  when 
one  person  sits  at  the  top,  or,  as  Mecsics  says 
above,  can  function  as  the  security  belly  button. 

When  there’s  a  single  point  of  contact,  the 
CFO  or  COO  can  pick  up  the  phone  and 
speed-dial  the  CSO  instead  of  having  to  pull 
out  an  org  chart  to  figure  out  whom  to  call 
with  a  security  question. 

John  Pontrelli,  vice  president  and  CSO  at 
Triwest  Healthcare  Alliance,  a  Department 
of  Defense  contractor  that  manages  a  health¬ 
care  program  in  the  western  United  States 
for  military  personnel  and  their  families, 
wouldn’t  have  left  his  previous  job  at  W.L. 
Gore  &  Associates  to  come  to  Triwest  unless 
he  had  that  kind  of  accountability. 

To  Pontrelli,  convergence  means  one  per¬ 
son  is  responsible  for  security,  just  as  a  CFO 
holds  the  reins  over  all  things  financial. 

He  lists  numerous  benefits,  including  hav¬ 


ing  visibility  into  where  the  organization  is 
going.  “If  I  didn’t  have  the  visibility  of  where 
the  organization  was  going,  where  the  C- 
[level]  folks  were  going,  the  new  technolo¬ 
gies  coming,  it  would  be  hard  to  put  together 
a  business  plan  to  the  requirements  of  the 
organization,”  Pontrelli  says.  “Because  I  have 
such  access  and  visibility  to  the  C-level  lead¬ 
ership,  they  know  what  I’m  doing.  It’s  not  a 
mystery.  They  know  my  resources,  what’s 
being  spent.” 

This  status  gives  him  a  greater  ability  to 
prioritize  risk  and  create  a  comprehensive 
security  business  plan.  Having  a  single  point 
of  contact  also  makes  it  easier  for  the  CEO, 
board  of  directors,  contractors,  external  busi¬ 
ness  partners  and  employees  to  know  that 
they  can  call  Pontrelli  if  they  have  any  ques¬ 
tions  or  problems.  Pontrelli,  who  reports  to 
the  COO,  says  he  wouldn’t  work  at  a  place 
“that  doesn’t  have  a  CSO  reporting  at  the 
C-level  with  visibility  and  accountability  at 
that  level.” 

At  Wells  Fargo,  CSO  Bill  Wipprecht  also 
likes  the  fact  that  other  execs  know  they  can 
pick  up  the  phone  and  call  him  with  any 
security  questions.  Wipprecht  runs  five  divi¬ 
sions— internal  investigations,  external  investi¬ 
gations,  physical  security,  enterprise  services 
and  the  uniformed  services  division— and  has 
almost  300  full-time  employees.  (He  does  not 
manage  infosec,  though  his  department  is  the 
investigative  arm  of  that  unit.)  He  describes 
security  as  having  a  single  voice  with  a  single 
message,  and  that  translates  into  the  way  he 
handles  customer  service.  “Our  rule  is,  if  you 
call  anybody  in  corporate  security  on  any  issue, 
we  don’t  tell  them  to  call  Fred  in  the  other 
group;  we  dial  the  number  for  them.  They 
don’t  know  they’re  talking  to  the  wrong  divi¬ 
sion— it’s  an  invisible  transfer  to  the  customer,” 
he  says. 

Payoff  #3' 

Information-sharing*  among* 
disparate  security  functions 
increases 

For  all  the  benefits  of  convergence,  one  of  the 
biggest  ones  is  that  the  level  of  cooperation 
and  sharing  of  information  among  employees 
should  increase.  Will  sharing  happen  over¬ 
night?  Of  course  not.  (See  ‘The  Pain,”  Page  29, 
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for  some  of  the  obstacles  that  need  to  be  over¬ 
come.)  But  bringing  team  members  into  a 
more  cohesive  organization  with  one  strategic 
mission  and  consistent  goals  will  encourage 
collaboration  and  help  break  down  some  of 
the  walls  that  can  exist  among  people  who 
previously  had  prime  allegiance  to  their  indi¬ 
vidual  security  function. 

Richard  Loving  is  reaping  the  benefits  of  a 
more  collaborative  environment  at  BWX 
Technologies,  which  manages  and  operates 
nuclear  and  national  security  facilities.  Loving, 
a  25-year  veteran  at  BWXT,  wears  two  hats: 
He’s  CSO  (a  title  he  picked  up  last  June)  and 
director  of  administration.  For  years,  the  com¬ 
pany,  which  runs  or  helps  run  facilities  for 
the  U.S.  government  in  nine  states,  organized 
its  facility  teams  as  self-contained  units.  That 
often  meant  that  people  in  different  locations 
were  working  on  the  same  problem.  Security 
directors  at  the  plants  acted  independently  to 
ensure  the  safety  at  their  own  sites,  but  there 
was  little  collaboration  among  them.  Loving 
and  other  execs  decided  last  summer  that 
BWXT  needed  a  centralized  focus  for  security, 
one  that  would  improve  information-sharing 
and  get  rid  of  the  stovepiped  structure.  Loving 
began  to  coordinate  security  at  the  units. 

The  results  were  immediate.  Last  July  the 
Department  of  Energy  ordered  a  stand-down 
of  all  DoE  operations  that  used  controlled 
removable  electronic  media  after  two  Zip 
disks  containing  classified  materials  were 
reported  missing  at  the  Los  Alamos  National 
Laboratory.  DoE  facilities  were  not  allowed  to 
resume  operations  until  new  security  proce¬ 
dures  were  put  in  place. 

“In  the  past,  each  site  would  have  gotten 
guidance  from  the  government,  then  they’d 
go  off  and  put  protections  in  place.  We  were 
able  to  bring  an  expert  from  each  site  together 
to  talk  about  the  changes  in  regulations,  how 
they  were  going  to  protect  media  and  share 
that  information  back  and  forth  so  that  as  one 
site  found  a  new  and  different  way  to  control 
something,  they  would  share  that  informa¬ 
tion  the  same  day,”  says  Loving.  (In  January, 
the  Energy  Department  released  a  report 
announcing  that  the  two  missing  disks  never 
actually  existed.) 

Another  payoff  Loving  cites  involved 
changes  in  a  physical  protection  hardware 
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“I  tell  people  to  do  a  risk  assessment  of 
the  organization,  do  a  cost-benefit  of 
having  two  groups  versus  one,  and  make 
decisions  based  on  business,  not  politics 
or  anything  else.” 


-ED  TELDERS,  CSO  OF  PEMCO  INSURANCE 


system.  Blueprints  of  the  system  were 
obtained  from  one  site  and  shared  with  others. 
“That  saved  significant  costs,”  he  says. 

CSOs  (and  CIOs)  who  work  in  certain  man¬ 
ufacturing  industries  have  been  dealing  with 
a  different  kind  of  stovepiped  structure  for 
years  that,  after  9/11,  has  started  to  get  more 
scrutiny  from  the  federal  government.  Many 
critical  infrastructure  industries,  such  as 
chemical,  petroleum  and  nuclear,  employ 
process  control  systems.  Those  systems  are 
used  for  a  wide  variety  of  tasks— for  example, 
they  turn  valves  on  or  off  and  measure  tem¬ 
peratures  and  pressures  in  reactors.  What’s 
come  to  light  in  recent  years,  as  they’ve 
become  increasingly  connected  to  other  com¬ 
pany  networks  and  the  Internet,  is  how  vul¬ 
nerable  these  systems  are  to  cyberattack 
because  the  security  of  these  process  control 
networks  has  been  an  afterthought.  Con¬ 
tributing  to  the  vulnerabilities  is  that  these 
networks  are  generally  managed  by  process 
control  engineers,  whose  job  has  been  to  make 
sure  the  systems  run  day  and  night,  not  to 
worry  about  hackers  or  other  cybercriminals. 

For  Keith  Antonides,  corporate  informa¬ 
tion  security  director  at  Rohm  and  Haas,  a 
large  specialty  chemical  manufacturing  com¬ 
pany,  convergence  has  meant  establishing  a 
closer  working  relationship  with  the  process 
control  engineers.  In  the  past,  the  engineers 
did  what  they  had  been  doing  for  years, 
namely,  taking  care  of  the  systems  themselves. 
“When  I  joined  the  company  six  years  ago,  it 
was  hands  off,  you  have  no  authority  here. 
After  9/11,  they  were  asking  for  my  input.  It 
was  a  major  shift,”  he  says.  Antonides  boned  up 
on  process  control  networks,  and  now  he  works 
in  tandem  with  the  engineers  to  do  cyber¬ 
security  vulnerability  assessments  at  the  plants. 

Bob  Pembleton  has  also  been  experienc¬ 
ing  the  benefits  of  closer  collaboration.  The 


30-year  security  veteran  (he  previously  held 
positions  at  IBM  and  MCI)  arrived  at  EDS  in 
2001  as  director  of  global  security  operations 
and  became  leader  of  a  fragmented  security 
department.  “I  couldn’t  get  a  clear  picture  of 
a  program  for  the  whole  enterprise,”  he  says. 

To  improve  efficiency,  strategy  and  com¬ 
munication,  he  led  the  consolidation  of  the 
department,  which  was  completed  a  year  ago. 
(Pembleton  is  now  chief  security  and  privacy 
officer,  a  title  he  took  on  in  January.)  The  four 
functional  groups— information  security, 
physical  security,  compliance  and  privacy— 
which  previously  reported  to  different  parts  of 
the  organization,  now  reside  in  Pembleton’s 
security  and  privacy  department.  Now  security 
can  look  at  regulations  such  as  the  Health 
Insurance  Portability  and  Accountability  Act 
and  Sarbanes-Oxley,  for  example,  and  address 
them  with  a  centralized  focus,  not  a  haphaz¬ 
ard  one. 

One  project  his  team  completed  last  year 
was  reducing  the  125  or  so  websites  that  had 
references  to  some  type  of  privacy  or  security 
down  to  one  portal  for  all  internal  security. 
“That  was  to  improve  efficiency  in  the  com¬ 
pany  and  improve  communication  to  the  com¬ 
pany  and  clients,”  he  says. 

Pembleton  is  also  replacing  customized 
solutions  with  standardized  ones.  For  exam¬ 
ple,  he’s  consolidated  security  monitoring  and 
access  control  to  regional  data  centers  so  that 
policies,  while  managed  locally,  are  set  at  a 
central  location.  (That  took  place  prior  to  the 
security  department  reorganization.)  Next  up: 
centralized  user  authentication. 

Payoff  #4 

Convergencegives  you  a  more 
versatile  stair 

Although  the  unified  security  theme  resonates 
today  at  Wells  Fargo,  it  wasn’t  long  ago  that 


the  message  was  a  little  more  garbled.  Previ¬ 
ously,  external  and  internal  investigations 
operated  separately.  Each  had  its  own  man¬ 
ager.  That  led  to  inefficiencies,  where  two  sep¬ 
arate  teams  could  be  investigating  the  same 
case.  And  if  the  case  happened  to  be  in  Boise, 
Idaho,  Wipprecht  spent  money  to  send  some¬ 
body  from  the  corporate  office  in  San  Fran¬ 
cisco  to  work  with  the  regional  agent. 

That  changed  in  February  2004,  when 
Wipprecht  brought  external  and  internal 
investigations  into  his  new,  converged  organ¬ 
ization  and  began  cross-training  most  of  his 
agents. 

Now  the  regional  agent,  trained  in  external 
and  internal  investigations  and  physical  secu¬ 
rity,  can  run  the  case  from  Boise  solo,  giving 
security  more  bang  for  its  buck  and  improving 
response  time.  Cross-training  has  also  made 
his  agents  more  aware  of  areas  that  weren’t 
previously  part  of  their  job  descriptions.  In 
the  past,  the  physical  security  folks  thought  a 
lot  about  homeland  security  but  not  inves¬ 
tigative  issues;  investigators,  conversely,  were 
less  observant  about  homeland  security.  Now 
the  security  organization  is  more  cohesive, 
with  different  divisions  pursuing  similar  goals. 
“The  cross-training  is  an  awakening  of  what 
they  ought  to  be  looking  at  internationally, 
nationally  and  locally,”  says  Wipprecht. 

Triwest’s  Pontrelli  and  Pemco’s  Telders 
cross-train  their  physical  and  infosec  staff. 
“It’s  mostly  a  people  cost  savings,”  says 
Telders.  “I  can  take  someone  trained  in  CPR 
and  have  them  do  e-mail  filtering  and  pass¬ 
word  accounts.  I  can  cross-train  staffs  so  they 
can  cover  each  other,  so  my  staffing  costs  are 
down.  People  assigned  to  projects  can  get 
cross-trained  on  the  job,”  he  says.  Pontrelli 
also  likes  the  fact  that  cross-training  gives  his 
team  members  greater  career  opportunities. 


Payoff  #5 

You  save  the  company  money 

OK,  you’d  like  to  be  converged,  you’ve  talked 
up  the  benefits  of  single  points  of  contact  and 
holistic  strategies  and  aligning  security  oper¬ 
ations  with  business  goals— and  you’ve  met 
with  glassy  eyes,  thinly  disguised  yawns  and 
general  apathy  from  senior  execs.  Now's  the 
time  to  pull  out  your  trump  card:  Cost  savings. 
Dollar  signs.  Cold,  hard  cash. 


RICHARD  LOVING,  CSO  AND  DIRECTOR  of  administration  at  BWX  Technologies 
(BWXT),  talked  excitedly  about  the  two-day  security  summit  he  hosted  in  Washing¬ 
ton,  D.C.,  for  the  general  manager  and  top  security  manager  at  each  of  the  nuclear 
facilities  BWXT  operates.  Loving  says  the  goal  was  to  “work  among  ourselves  and 
talk  with  the  highest  level  of  customers  to  understand  their  needs  and  perspectives.” 
Participants  included  the  president  of  BWXT  and  representatives  from  the  Depart¬ 
ment  of  Energy. 

The  summit  is  another  outgrowth  of  the  more  centralized  security  strategy  Loving 
has  helped  put  in  place  since  becoming  CSO  last  June.  Last  summer  BWXT  decided 
to  make  sure  security,  which  previously  had  been  run  independently  by  managers  at 
each  plant,  became  more  of  a  collaborative  effort. 

“It’s  part  of  an  evolving  process,  to  look  at  security  more  holistically  rather  than 
approaching  from  the  top  down.  We’re  looking  at  more  of  a  facilitative  approach,” 
says  Loving,  adding  that  the  summit  will  become  an  annual  event. 

At  Wells  Fargo,  CSO  Bill  Wipprecht  holds  an  annual  training  event  for  his  agents 
in  Las  Vegas  or  Phoenix.  Professional  speakers  are  brought  in,  and  there’s  a  dinner 
to  present  an  agent-of-the-year  award.  “It  brings  camaraderie,  allows  people  to  meet 
each  other  and  provides  the  opportunity  for  personal  relationships,”  he  says.  “It’s  a 
great  event.”  -T.D. 


All  Together  Now 


TEAM  MEETINGS  BUILD  ESPRIT  DE  CORPS  WHILE 
CLARIFYING  SECURITY’S  MISSION 
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One  area  that’s  generating  savings  is  tech¬ 
nology  convergence,  the  intersection  of  phys¬ 
ical  and  information  security.  That’s  what 
Telders  at  Pemco  Insurance  has  found. 

Telders  has  put  smiles  on  the  suits  at 
Pemco  by  replacing  proprietary  systems  with 
a  centralized,  IP-based  security  management 
system  for  both  field  offices  and  headquarters 
that  encompasses  closed-circuit  TV,  door  con¬ 
trols,  access  card  controls,  sensors,  alarm 
monitoring  and  panic  buttons.  The  system 
has  obviated  the  need  for  local  security  guards; 
instead,  guards  monitor  the  system  24/7  from 
a  central  location.  Burglar  alarm  monitoring 
is  also  done  from  that  location,  so  outside  con¬ 
tracts  with  third  parties  have,  for  the  most 
part,  become  unnecessary.  And  video  record¬ 
ing  takes  place  on  server  disks,  not  on  local 
digital  video  recorders.  “If  a  DVR  goes  out,  it 
could  cost  five  grand.  If  a  disk  goes  out,  it 
costs  $150,”  he  notes. 

Telders  says  the  system  saved  Pemco  on 
the  order  of  $2  million  in  the  first  year.  (Most 
came  from  eliminating  the  guards;  bringing 
burglary  and  security  monitoring  services  in- 
house  saved  more.)  The  company  can  also  use 
the  surveillance  cameras  in  the  various  loca¬ 
tions  to  hold  teleconferences  at  no  additional 
cost.  And  Pemco  has  tied  building  control 
systems  such  as  HVAC  and  lighting  into  the 
centralized  system,  which  allows  the  real 
estate  staff  to  remotely  manage  some  building 
systems,  largely  freeing  them  from  having  to 
install  their  own  network  or  wiring. 

Stephen  Baird,  vice  president  of  corporate 
security  at  United  Rentals,  North  America’s 
largest  equipment  rental  company,  is  simi¬ 
larly  using  CCTV  improvements  to  reduce 
costs.  Baird  joined  the  company  last  July  and 
has  become  the  single  point  of  contact  for 
security.  (Previously  the  top  security  role 
wasn’t  as  clearly  defined.)  He  reports  to  the 
company’s  president  and  CFO.  Since  coming 
on  board,  he’s  been  working  on  upgrading 
the  company’s  digital  CCTV  systems  to  make 
them  motion-based.  That  will  save  his  staff 
major  chunks  of  time  when  conducting  inves¬ 
tigations— using  the  old  system,  watching 
the  DVR  could  take  hours;  now  it  takes  min¬ 
utes.  He  plans  on  rolling  it  out  in  the  com¬ 
pany’s  corporate  facilities  first  and  hopes  to 
roll  it  out  in  stores  eventually.  He’s  also  look¬ 


ing  to  save  money  by  standardizing  DVRs 
across  the  company  and  by  buying  those 
DVRs  in  bulk. 

Another  technology  Baird  is  exploring  is 
global  positioning  systems,  or  GPS,  which  the 
company  was  prototyping  before  he  arrived. 
One  application  would  involve  putting  GPS 
systems  on  large  pieces  of  equipment,  such 
as  light  towers.  United  Rentals  has  more  than 
600  types  of  equipment,  including  4,200  light 
towers.  GPS  systems  would  allow  security  to 
track  where  the  tower  is,  how  long  it’s  been 
there  and  even  if  it  was  turned  on.  And,  of 
course,  it  would  function  much  like  a  LoJack 
auto  antitheft  device  (a  tool  they’ve  also  used) 
to  make  sure  customers  aren’t  walking— or 
driving— away  with  equipment.  And  lest  one 
think  that  light  towers,  backhoes  and  skid 
steer  loaders  don’t  disappear,  guess  again. 
“We’ve  had  theft  of  everything,”  says  Baird. 
But  rolling  out  a  GPS  system  won’t  happen 
automatically— as  with  any  big  project,  Baird 
will  first  assess  the  risks  and  the  costs  before 
he  and  his  fellow  execs  give  a  thumbs-up  or 
thumbs-down. 

■  ■  ■ 

So  there:  We’ve  laid  out  five  ways  conver¬ 
gence  can  make  your  security  department 
faster,  stronger  and  more  efficient,  and  rack 
up  cost  savings  to  boot.  Converging  can  also 
turn  the  various  security  staffers  scattered 
around  a  company  doing  their  own  physical  or 
logical  or  investigative  thing  into  a  more  cohe¬ 
sive  team,  focused  on  a  central  mission. 

Is  it  for  everybody?  No.  Is  it  painless?  Of 
course  not.  But  if  you’ve  done  the  due  dili¬ 
gence  and  believe  that  convergence  can 
enhance  your  security  posture  and  bring  more 
value  to  the  business,  the  CSOs  in  this  story 
will  tell  you  that  you  can  converge  and  not 
just  survive,  but  prosper. 

Mecsics,  who  served  in  the  Air  Force  for  27 
years  in  various  security  capacities,  recounts 
how  he  used  to  get  his  troops  thinking  as  one. 
“I  used  to  show  the  guys  a  jet.  I  said,  our  job  is 
to  make  sure  that  jet  can  take  off  and  come 
back.  No  matter  what  your  job  is,  your  main 
mission  is  to  make  that  happen.”  ■ 

NEXT:  Turn  the  page  to  learn  how  CSOs  work  to  overcome 
the  real  and  persistent  challenges  involved  in  forming  and 
leading  a  unified  security  department. 
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Committee 

EXECUTIVE  SECURITY 
COUNCILS  HELP  GUIDE 
CONVERGENCE 

Marshall  Sanders  didn’t  have  to  scream 
and  holler  to  get  a  converged  security 
department  after  joining  Level3  Commu¬ 
nications  in  1999.  In  fact,  it  was  his  man¬ 
date  from  senior  executives.  Security’s 
high  profile  at  his  company  manifests 
itself  in  the  corporate  risk  management 
council,  which  provides  strategic  direc¬ 
tion  for  security. 

The  council  was  formed  in  January 
2002  and  meets  every  other  month,  or 
as  required.  It’s  chaired  by  the  chief  legal 
officer.  Besides  Sanders,  other  members 
include  the  corporate  vice  chairman,  the 
CTO,  the  CFO,  the  president  of  European 
operations  and  the  global  vice  presidents 
of  transport  and  infrastructure,  intellec¬ 
tual  property  and  data  systems,  global 
sales,  and  HR.  “The  council  helps  drive 
convergence,”  says  Sanders.  “It  provides 
a  cross-functional  view  of  managing 
risk.” 

Keith  Antonides  also  relies  on  his 
executive  oversight  committee  for  infor¬ 
mation  security  for  strategic  guidance. 
Antonides,  the  corporate  information 
security  director  at  Rohm  and  Haas,  a 
large  specialty  chemical  company, 
serves  on  the  committee  (and  leads  the 
meetings)  along  with  the  CIO  (who  chairs 
it),  the  head  of  manufacturing,  the  gen¬ 
eral  counsel,  the  head  of  HR,  the  global 
IT  infrastructure  director,  the  controller, 
the  director  of  internal  audit,  and  the  cor¬ 
porate  security  director.  “The  charter 
was  to  put  a  higher  focus  on  infosecurity 
in  the  organization  and  make  sure  it  was 
supported  at  the  executive  level,”  he 
says  of  the  group,  which  was  established 
in  2000. 

The  committee  has  helped  IT  folks 
and  the  process  control  engineers  build 
better  relations,  critical  to  ensuring  the 
security  of  the  company’s  process  con¬ 
trol  networks,  Antonides  says.  -T.D. 


JOHN  PONTRELLI,  CSO  at  Triwest,  cross- 
trains  physical  and  IT  security  staffs  as  a  way  to  break 
down  cultural  differences  between  the  groups. 


Creating  a  unified  security  function  means  overcoming  challenges 
from  top  executives,  existing  processes  and  change-resistant 
employees 

WEDNESDAY,  APRIL  21,  9:00  P.M.  (EST),  All  Hands  on  Deck:  The  Making  of  a  21st 
Century  Security  Department  (made-for-TV  movie,  2005): 

A  new  corporate  security  director  takes  the  reins  at  a  company  that  has  just  fired  his  pred¬ 
ecessor  for  being  “old  school”  and  “unable  to  grasp  the  future  of  security.”  The  new  director  is 
given  a  mandate  to  converge  all  the  security  functions,  which  previously  had  been  stovepiped. 
Members  of  the  various  security  departments,  who  once  had  minimal  interaction  with  each 
other  and  ample  levels  of  distrust,  are  elated.  Staffers  are  cross-trained  in  each  other’s  disci¬ 
plines  and  never  fail  to  ask  how  they  can  lend  a  hand  to  their  colleagues.  Employees  share  many 
a  libation,  as  well  as  the  best  of  that  week’s  security  stories,  every  Friday  at  O’Brien’s,  the  local 
watering  hole  (“Can  you  believe  the  look  on  the  face  of  that  guy  from  finance  when  we  nailed 
him  for  leaking  our  3Q  numbers?  I  thought  his  eyes  were  gonna  pop  out  of  their  sockets!”). 

A  farcical  look  at  how  a  strong-willed  CSO  takes  a  stovepiped  organization  and  whips  it  into 
a  tight-knit,  newly  energized  outfit,  winning  the  hearts  of  grateful  staffers  along  the  way 
(including  one  enthusiastic  but  verbally  challenged  firewall  specialist  who  frequently  pro¬ 
claims  to  his  teammates,  “There’s  no  T  in  security!”).  Rating:  ★ 


For  all  of  you  readers  who  have  either  con¬ 
verged  or  toyed  with  the  idea,  the  plot  line 
for  this  movie  matches  the  reality  of  your 
experiences  or  expectations,  yes? 

Of  course  not.  That’s  why  this  cheesy  plot 
sounds  as  far-fetched  as  a  reality  show  fea¬ 
turing  a  woman  trying  to  determine  her  bio¬ 
logical  father  from  a  group  of  eight  strangers. 
The  stark  reality  is,  like  any  corporate  restruc¬ 
turing,  converging  is  bang-your-head-against- 
a-wall  tricky.  It  presents  a  host  of  challenges: 
ticked-off  employees,  fights  over  budgets, 
skeptical  executives  and  enough  cultural 
issues  to  make  a  typical,  backstabbing  Thurs¬ 
day  night  on  The  Apprentice  look  like  a  game 
of  Candyland. 

But,  as  “The  Payoff’  (see  Page  24)  shows, 
those  who  believe  convergence  is  a  path  worth 
pursuing  will  find  that  the  benefits  can  be 
worth  the  pain.  This  story  outlines  five  com¬ 
mon  challenges  that  confront  CSOs  and  sug¬ 
gests  ways  to  tackle  them  head-on. 

Pa  in  # 1  Turf  Battles 

Face  it:  You’d  be  a  fool  to  think  that  the  direc¬ 
tor  of  infosecurity,  an  IT  department  veteran 
who  had  developed  a  great  relationship  with 
her  ex-boss,  the  CIO,  is  going  to  do  a  touch¬ 
down  dance  once  she  finds  out  she’s  reporting 
to  the  CSO.  Same  for  the  head  of  corporate 
security  who  finds  himself  taking  directions 
from  the  CISO,  or  the  security  manager  at  a 
local  operation  giving  up  control  of  a  moni¬ 
toring  system  to  headquarters. 

The  fact  is,  a  gaggle  of  people,  whether  it  be 
managers  or  lower-level  employees,  will  be 
unhappy  with  any  change  to  their  turf.  They’re 
not  going  to  like  whom  they  report  to,  whom 
they  have  to  work  with  and  the  new  projects 
they’re  assigned  to.  Egos  will  be  bruised,  if 
not  battered.  “Folks  are  very  protective  of  their 
rice  bowls.  That’s  natural,”  says  Jim  Mecsics, 
senior  security  analyst  at  SAIC,  a  research 
and  engineering  company,  and  the  former 
vice  president  of  corporate  security  at  Equifax. 

Mecsics,  when  he  worked  at  credit  bureau 
Equifax,  had  to  deal  with  pushback  from  cer¬ 
tain  process  owners.  For  example,  the  CIO 
was  reluctant  to  turn  over  control  of  his  sys¬ 
tems  to  Mecsics.  So  Mecsics  used  a  personal 
approach  in  which  he  listened  to  their  con¬ 
cerns  and  tried  to  win  their  hearts  and  minds. 
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“I  said,  I’m  not  going  to  do  anything  to  hurt 
your  system  or  inhibit  your  business  processes. 
I'm  here  to  protect  you  so  our  CEO  isn’t  stand¬ 
ing  before  a  congressional  committee  someday 
explaining  why  credit  reports  are  in  front  of 
some  gym  locker,”  he  says.  He  used  the  same 
approach  with  HR,  which,  prior  to  his  arrival, 
handled  all  company  personnel  issues.  Mec- 
sics  convinced  the  HR  leadership  that  the 
security  organization  should  take  over  respon¬ 
sibility  for  developing  background  check  poli¬ 
cies.  He  also  assuaged  their  fear  that  he  was 
coming  in  there  to  steal  people  from  their 
department. 

Ultimately,  says  Mecsics,  security  needs 
accountability.  “They  [other  execs]  don’t  want 
something  to  fall  on  their  shoulders.  I  said,  If 
we  have  to  go  to  the  boardroom  with  Donald 
Trump,  by  God,  I’m  going  to  be  there  with 
you,”  he  says,  echoing  his  military  past.  (Mec¬ 
sics  served  in  the  Air  Force  for  27  years.) 

Territorial  issues  are  not  going  to  go  away, 
but  there  are  ways  to  lessen  their  impact. 
Marshall  Sanders,  vice  president  of  corporate 
security  and  CSO  at  Level3  Communications, 
was  fortunate  to  have  a  mandate  to  converge 
when  he  came  on  board  in  1999.  Sanders’ job 
was  made  easier  because  Level3  didn’t  have  a 
heritage  of  entrenched  security  stovepipes.  But 
he  still  needed,  for  example,  to  make  sure  all 


members  of  the  security  organization  under¬ 
stood  that  they  were  accountable  for  the  suc¬ 
cess  of  eveiybody  on  the  cross-functional  team. 
Sanders  says  that  Level3’s  performance- 
oriented  culture  and  use  of  metrics  and  bal¬ 
anced  scorecards  helps  ensure  that  everybody 
is  pulling  in  the  same  direction. 

“We  have  a  saying:  Our  goal  is  to  weave 
security  into  the  fabric  and  culture  of  the  com¬ 
pany.  Because  we’re  employee-owned,  which 
contributes  to  our  success  in  converging,  the 
employees  have  a  sense  of  ownership  and 
accountability,”  he  says. 

Pain  #2  Executive  Buy-In 

You  can  propose  the  most  wonderful,  cost¬ 
saving,  mega-ROI  convergence  project  in  the 
universe,  but  if  the  CEO  doesn’t  feel  as  warm 
and  cuddly  about  it  as  you  do,  your  proposal 
will  stay  just  that— a  proposal.  One  way  to  get 
the  green  light  for  your  initiative  is  to  demon¬ 
strate  smaller-scale  successes  first. 

Bob  Pembleton,  chief  security  and  privacy 
officer  at  EDS,  wanted  to  consolidate  data 
security  management  (which  includes  poli¬ 
cies,  standards,  education  and  security  com¬ 
pliance  monitoring)  from  multiple  local  sites, 
with  multiple  standards  and  approaches,  into 
a  centralized  site.  “We  had  conversations  about 
what  we  were  trying  to  do,  then  did  a  couple  of 


sites  to  prove  the  concept,”  he  says.  “The  cen¬ 
tralization  proved  so  efficient  that  the  senior 
leadership  raised  the  question,  Wouldn’t  it  be 
more  efficient  to  put  all  four  lines  in  the  same 
security  organization?”  Ultimately,  the  success 
of  the  consolidation  project  helped  pave  the 
way  for  Pembleton  to  converge  the  privacy 
group  and  the  physical,  logical  and  information 
groups  under  one  umbrella. 

Communication  is  also  critical— if  you  don’t 
get  buy-in  initially,  communicate  with  the 
leaders  who  are  feeling  the  impact  of  whatever 
change  you’re  trying  to  make,  says  Pembleton. 
“Try  to  put  yourself  in  the  other  person’s  posi¬ 
tion,  and  ask  yourself,  What  would  I  want  to 
know  if  someone  from  headquarters  showed 
up  and  wanted  to  change  the  way  I  deliver 
security  services?”  he  says. 

Another  way  to  sell  a  convergence  project, 
advises  Steve  Hunt,  a  former  vice  president 
and  research  director  at  Forrester  Research,  is 
to  package  it  with  something  that  executives 
can  more  easily  understand.  He  cites,  as  an 
example,  trying  to  build  a  better  security 
architecture  using  public-key  infrastructure 
(PKI)— a  major  undertaking.  Executives 
might  view  it  as  an  expensive  investment  that 
doesn’t  return  immediate  value  to  the  com¬ 
pany.  Implementing  PKI  would  require  every 
business  unit  to  conform  their  applications 


An  Alternate  View 

IT’S  BETTER  TO  SEEK  CONVERGENCE  PROJECT 
BY  PROJECT,  SAYS  CONSULTANT  STEVE  HUNT 

Steve  Hunt,  former  head  of  security  research  at  Giga  Informa¬ 
tion  Group  and  Forrester  Research,  has  thought  a  lot  about 
the  convergence  of  the  physical  and  IT  security  worlds.  He 
recently  helped  launch  4A  International,  a  security  consultancy 
that  aims  to  help  clients  with  convergence  strategies. 

Hunt  told  CSO  Senior  Editor  Todd  Datz  why  he  believes 
convergence  works  best  when  companies  bring  people  together 
one  project  at  a  time. 


CSO:  What  are  the  major 
challenges  of  converging? 

Steve  Hunt:  Convergence  is 
a  fuzzy  concept— it’s  a  label 
we’re  using  to  identify  those 
projects  that  require  the 
cooperation  or  participation 


of  security  and  technology 
groups  that  previously  didn’t 
work  together  much.  It  could 
be  the  convergence  of  IT 
security  people,  processes 
and  technologies  with  corpo¬ 
rate  security  processes  and 


technologies.  It  could  also 
mean  the  convergence  of 
physical  security  technolo¬ 
gies  with  IT,  such  as  using 
identity  management  soft¬ 
ware  to  manage  badges. 

The  fundamental  question 
that  you  ask  before  launching 
any  security  project,  is: 
What’s  the  value  that  busi¬ 
ness  hopes  to  gain  from  the 
convergence  project?  Con¬ 
vergence  is  only  a  project,  a 
tactical  task  that  may  require 
the  efforts  and  technologies 
of  two  groups  not  under  the 
same  umbrella.  It  just  means 
some  people  and  technol¬ 
ogies  on  one  side  need  to 
interact  with  those  on  the 
other  side.  You  don’t  have 


to  merge  the  departments  to 
the  get  the  value  of  a  conver¬ 
gence  project. 

Is  permanently  converging 
different  lines  a  bad  idea? 

Converged  departments  are 
generally  a  failure.  There’s 
cultural  tension,  social  ten¬ 
sion,  management  challenges 
and  a  failure  to  achieve  the 
efficiencies  you  are  hoping  to 
achieve.  However,  companies 
that  keep  the  divisions  sepa¬ 
rate  and  work  on  tasks 
together  are  successful  at 
achieving  operational  effi¬ 
ciencies  and  synergies. 

But  converging  teams  on  a 
temporary  basis  still  brings 
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“To  n  redefine  the 
new  organization, 
set  goals,  then  go  to 
the  agent  level  for 
their  input.  We 
want  participatory 
management 
The  responses  I 
got  really  helped 
formulate  what  our 
organization  was 
going  to  he  today.” 

-WELLS  FARGO  CSO  BILL  WIPPRECHT 

to  the  system,  and  users  would  have  to  change 
their  behavior.  Trying  to  sell  that  kind  of  proj¬ 
ect  is  a  lot  of  work,  says  Hunt. 

A  better  way  to  sell  it  is  to  package  it  with 
a  one-card  system  that  controls  both  cyber 
and  physical  access.  Moving  to  one  card  will 
save  money  and  increase  operational  effi¬ 


ciency.  “Everybody  gets  a  digital  smart  card— 
a  big  step  toward  PKI— and  you  can  help  sell 
it  by  saying  the  card  would  contain  a  smart 
chip  that  contains  all  of  a  user’s  passwords. 
Users  would  get  behind  the  idea,  and  it  would 
be  only  a  small  step  toward  moving  to  full- 
fledged  PKI,”  says  Hunt.  “A  convergence  proj¬ 
ect  will  fail  if  it  can’t  demonstrate  business 
value.  Some  convergence  projects  have  to  be 
made  more  relevant  to  the  business,”  he  says. 

Executive  security  committees,  comprising 
top  management  and  the  heads  of  security, 
are  another  valuable  way  to  gain  buy-in.  (See 
“All  Together  Now,”  Page  27.) 

Pain  # 3  Cultural  Differences 

It’s  no  secret  that,  oftentimes,  corporate  secu¬ 
rity  people  are  from  Venus  and  IT  security 
people  are  from  Mars  (see  “Mad  About  You,” 
www.csoonline.com/printlinks).  So  CSOs  with 
a  bent  toward  convergence  need  to  be  aware  of 
the  cultural  differences— and  not  just  between 
physical  and  information,  but  among  all  secu¬ 
rity-related  departments— and  have  a  plan  to 
deal  with  them. 

Executive  security  committees  are  a  good 
place  to  not  only  gain  buy-in  for  security  ini¬ 
tiatives  but  to  get  help  from  senior  leadership 
in  bridging  cultural  gaps. 

Keith  Antonides,  corporate  information 


security  director  at  a  large  chemical  maker, 
has  used  his  executive  oversight  committee 
for  infosecurity  to  help  him  deal  with  the  cul¬ 
tural  differences  between  his  IT  organization 
and  the  engineers  that  manage  the  process 
control  networks  at  the  company’s  plants.  His¬ 
torically,  the  two  staffs  have  had  limited  inter¬ 
action.  But  in  recent  years,  traditionally 
standalone  process  control  networks  have 
become  increasingly  connected  to  corporate 
networks.  That  has  opened  them  up  to  Inter¬ 
net  viruses,  worms  and  other  cyberattacks  and 
made  them  potential  targets  for  terrorists. 
(One  disgruntled  techie  hacked  into  the 
computerized  wastewater  system  to  release 
raw  sewage  at  an  Australian  plant  in  2000. 
See  “Out  of  Control,”  www.csoonline.com/ 
printlinks.)  After  9/11,  process  control  engi¬ 
neers  and  IT  departments  realized  they 
needed  closer  cooperation  to  help  protect 
plant  networks.  Helping  it  happen,  says 
Antonides,  is  the  oversight  committee,  a  venue 
that  company  executives  have  used  to  ensure 
collaboration  between  the  two  sides. 

Cross-training  is  another  effective  way  to 
make  people  more  understanding  of  their 
fellow  employees.  John  Pontrelli,  vice  presi¬ 
dent  and  CSO  at  Triwest,  and  Ed  Telders,  CSO 
at  Pemco  Insurance,  both  cross-train  their 
physical  and  information  security7  staffers.  At 


management  challenges. 

There  will  still  be  numerous 
obstacles.  Take  a  one-card 
system— the  plastic  ID  badge 
used  to  get  into  a  building 
and  into  your  computer.  To 
deploy  that,  the  team  will 
have  to  enlist  the  help  of  IT 
experts  in  public-key  infra¬ 
structure,  directory  services, 
and  desktop  and  client  oper¬ 
ations.  On  the  physical  side, 
it  will  have  to  engage  the 
access  control  team,  the 
guard  or  reception  desk 
team,  the  visitor  manage¬ 
ment  team.  Also,  someone 
has  to  design  the  card. 

There  should  be  a  clear 
delineation  of  tasks  among 
the  group  because,  for  sure, 


the  corporate  security  people 
who  know  access  control  will 
not  fully  understand  the  tech¬ 
nology  of  the  card’s  smart 
chip.  Corporate  security  will 
understand  the  nature  of 
access  control,  and  they  can 
design  an  IT  badge  better 
than  the  IT  people.  The  great 
challenge  is  to  make  sure 
everyone  knows  what  their 
job  is. 

One  of  the  arguments  to 
converge  is  that  turf  battles 
might  decrease. 

There  might  be  less  of  a  turf 
war  if  one  layer  of  manage¬ 
ment  is  removed,  but  not 
always.  So  often  the  turf  bat¬ 
tles  remain.  For  example,  you 


might  have  two  employees, 
both  with  the  company  for  10 
years,  and  [the  infosecurity 
person]  gets  paid  twice  as 
much  as  the  [corporate  secu¬ 
rity  person].  That  makes  for 
a  natural  cultural  segmenta¬ 
tion  in  the  department.  My 
argument  is,  let’s  keep  talk¬ 
ing  about  converging  the 
departments,  but  what’s  the 
hurry?  The  business  doesn’t 
care  who  people  report  to  as 
long  as  value  is  delivered. 

There’s  the  image  of  com¬ 
puter  illiterate  bullies  doing 
battle  with  techno-geeks. 
What  differences  do  you  see? 

The  IT  people  dress  very 
casually.  They’re  well- 


educated.  They  respond  very 
easily  to  change.  They  can 
learn  physical  technologies 
very  easily.  And  they  get  paid 
a  lot  of  money.  The  corpo¬ 
rate  security  people  learned 
their  trade  over  many  years 
of  apprenticeship,  perhaps  in 
law  enforcement  or  the 
military,  are  generally  not 
comfortable  with  new  tech¬ 
nologies,  are  rigorous  and 
structured,  and  they  get  paid 
a  lot  less  money. 

Soon  I  think  there  will  be 
a  cultural  separation  based 
on  distrust  and  inferiority. 

I  would  just  as  soon  keep 
them  apart  and  get  teams  to 
work  together  in  friendly 
ways  on  projects.  ■ 
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Wells  Fargo,  CSO  Bill  Wipprecht  began  cross¬ 
training  his  external  and  internal  investiga¬ 
tions  agents  to  do  each  others’ jobs. 

Of  course,  there’s  no  silver  bullet  to  tearing 
down  the  cultural  walls  separating  security 
departments,  in  place  for  years  in  many  com¬ 
panies.  Cops  aren’t  going  to  start  sporting 
goatees  and  flannel  shirts  overnight,  and  geeks 
are  still  going  to  look  at  suits  as  well-tailored 
straitjackets.  But  some  CSOs  are  making 
progress.  Overcoming  the  differences  between 
physical  and  information  security  people,  says 
Telders,  “is  not  as  big  a  hurdle  as  it  used  to  be.” 

Pain  #4 

Organizational  Structure 

As  part  of  the  convergence  process  at  Wells 
Fargo,  in  which  external  and  internal  investi¬ 
gations  were  brought  under  the  corporate 
security  umbrella,  Wipprecht  took  a  long, 
hard  look  at  the  structure  of  his  department. 
His  guiding  question  became,  Do  we  have  the 
right  people  with  the  right  expertise  in  the 
right  jobs  in  the  right  locations? 

“With  300  people,  it  becomes  a  significant 
issue  evaluating  where  your  needs  are,”  he 
says  of  his  security  organization.  After  spend¬ 
ing  several  months  studying  case  metrics,  such 
as  volume  of  work  and  number  of  phone  calls, 
Wipprecht  found  that  there  were  some  redun¬ 
dant  management  positions.  That  led  the 
company  to  offer  retirement  packages  to  some 
of  the  agents  and  management  team  members 
(he  declined  to  say  how  many). 

During  the  review  process,  Wipprecht  also 
sought  the  input  of  his  staff.  ‘You  have  to  com¬ 
municate.  You  redefine  the  new  organization, 
set  goals,  then  go  to  the  agent  level  for  their 
input.  We  want  participatory  management. 
The  responses  I  got  really  helped  formulate 
what  our  organization  was  going  to  be  today,” 
he  says. 

Wipprecht  also  says  training  is  key  to  a 
successful,  converged  department.  “We  as  a 
management  team  have  an  obligation  to  have 
the  best  and  the  brightest,”  he  says.  “To  do 
that,  we  need  to  provide  the  training  they  need 
to  maintain  an  expert  level.  If  they’re  the  best 
they  can  be,  that  can  only  assist  you  in  the 
field  as  agents  communicate  with  customers, 
the  FBI,  Secret  Service,  whatever.  It  saves  time 
and  money.” 


Microsoft’s  Culture  Clash 

There  didn't  seem  to  be  any  downsides  in  Howard  Schmidt’s  mind.  In  the  late  1990s,  the 
former  CSO  at  Microsoft  watched  as  the  company’s  Web  presence  exploded— and  expe¬ 
rienced  rising  numbers  of  attacks.  Schmidt,  who  headed  up  IT  security,  and  others  had  to 
decide  which  investigators  from  physical  or  IT  security  should  respond.  “That’s  when  we 
saw  value  in  converging  the  two,”  says  Schmidt. 

Soon  the  decision  was  made  to  converge  the  IT  and  physical  security  teams  as  a 
whole.  In  the  spring  of  2000,  Bob  Herbold,  Microsoft’s  then-COO,  gave  Schmidt  the  OK 
to  move  security  out  of  the  IT  organization  into  his.  (The  new  merged  group  would  report 
to  the  COO.)  But  soon  there  were  problems.  “I  made  my  biggest  mistake— I  didn’t 
anticipate  the  cultural  differences,"  says  Schmidt.  The  physical  folks  had  expected  to  be 
promoted  to  the  same  pay  levels  as  the  IT  staff.  Schmidt  had  intended  to  cross-train  his 
team,  but  he  realized  that  while  some  of  the  physical  people  were  on  the  way  to  get 
technical  training,  they  didn’t  have  the  technical  aptitude  of  some  IT  security  people. 

The  bottom  line  was  that  HR  decided  that  pay  scales  would  remain  the  same.  That 
ticked  off  some  of  the  physical  folks.  “Initially  everybody  was  excited,  but  in  a  matter 
of  months  there  was  the  perspective  that,  I’m  doing  the  same  job,  I  should  be  getting 
higher  compensation.  It  became  a  distraction  from  the  day-to-day  work,”  he  says. 

About  a  year  later,  when  the  COO  retired,  Schmidt  helped  form  a  new  group, 
Microsoft’s  trustworthy  computing  security  group.  The  converged  security  team  was 
moved  back  into  the  IT  organization  under  the  CIO.  And  after  9/11,  Schmidt  left 
Microsoft  to  work  full-time  on  national  cybersecurity  in  the  White  House.  But  he  still 
believes  in  convergence.  “The  best  manager  of  a  security  organization  has  physical  and 
IT  experience,”  he  says.  -T.D. 


Pain  #5 

Information-Sharing 

Think  about  information-sharing  between  the 
FBI  and  CIA.  Or  FBI  and  CIA  and  NS  A.  Or 
FBI  and  CIA  and  NSA  and  DoD.  You  get  the 
drift:  Getting  security  folks  to  share  informa¬ 
tion  can  be  as  hard  as  telling  your  boss  his 
putt  isn’t  a  gimme. 

Security  pros  “are  not  accustomed  to  talking 
a  lot;  they’re  trained  to  protect  information,” 
says  Richard  Loving,  CSO  and  director  of 
administration  at  BWX  Technologies  (BWXT), 
a  manager  of  nuclear  plants  and  other  high- 
security  facilities. 

Loving  says  communication  across  his 
organization  was  the  biggest  challenge  he 
dealt  with  last  summer  as  he  centralized  secu¬ 
rity,  which  previously  was  the  domain  of  each 
individual  nuclear  facility.  To  get  over  that 
hurdle,  Loving  has  emphasized  to  facility  secu¬ 
rity  managers  that  working  together  is  in  the 
best  interests  of  the  company  and  that  head¬ 
quarters  is  trying  to  enhance— not  control— 
their  local  operations. 


He  also  advises  showing  employees  the  suc¬ 
cesses  of  their  collaboration.  “One  time  you 
may  be  sharing,  the  next  time  you  may  be  on 
the  receiving  end,”  says  Loving.  For  BWXT, 
the  benefits  of  information-sharing  came  after 
the  Department  of  Energy  ordered  all  its  facil¬ 
ities  to  improve  security  of  controlled  remov¬ 
able  electronic  media  (CREM).  Loving  and 
his  colleagues  coordinated  a  group  response 
across  BWXT  facilities  rather  than  having 
each  plant  act  on  its  own  to  comply. 

This  kind  of  sharing  won’t  come  easily;  it’s 
an  evolution,  Loving  says.  “It  really  is  getting 
people  to  open  up  and  share  and  recognize 
that  there  will  ultimately  be  benefits,  whether 
in  operations,  security  or  safety.”  ■ 

Got  a  painful  convergence  story?  E-mail  Senior  Editor  Todd 
Datz  at  tdatz@cxo.com. 


Still  Room  for  the  CISO 


CISOs  are  likely  to  survive  convergence  turf 
battles,  according  to  Forrester  Research.  Read 
“The  CISO  in  2010  Still  Touches  Technology." 

Go  to  www.csoonline.com/printlinks. 


32  www.csoonline.com  April  15,  2005 


CSO  Focus: 


<>■ 


PS 


Targeted 

Information 


»«i 


C°ntent 


,sSsc«« 


r'^,Z  r,n^^  ^ 

1  "’’•'fin, , 

“■w-v* 


CSO  Focus  Series:  are  technology-focused  supplements  which  complement  CSO’s 
award-winning  editorial  coverage  of  security  and  risk  management  issues  for  sen¬ 
ior  security  executives.  These  special  supplements,  written  and  produced  by  our 
custom  publishing  team,  will  help  you  to  answer  complicated  security  questions 
and  more.  Look  for  these  targeted  supplements  in  your  upcoming  issues  of  CSO. 


June 

CSO  Focus:  Managed  Security  Services 

This  special  supplement  examines  the  issues  that  CSOs  should  consider  when 
evaluating  outsourced  options  for  information-security  management,  and  provides  a 
clear  understanding  of  how  managed  security  service  providers  work— and  of  their 
own  role  in  creating  successful  partnerships  with  providers. 

August 

CSO  Focus:  Business  Continuity  &  Disaster  Recovery 

This  supplement  discusses  how  CSOs  can  build  effective  business  continuity  and 
disaster  recovery  plans  and  explores  option  for  making  their  organizations  less  vulner¬ 
able  and  more  resilient. 

October 

CSO  Focus:  Content  Filtering 

One  of  the  most  challenging  issues  for  enterprise  IT  organizations  is  managing  the 
content  and  character  of  the  data  that  flows  through  their  network,  both  internally 
and  externally.  This  supplement  will  help  CSOs  wade  through  the  myriad  of  solutions 
available  to  them. 

December 

CSO  Focus:  Access  Control 

Building  and  managing  effective  access  control  and  identity  management  solutions 
is  a  critical  base  step  in  protecting  your  organization’s  digital  and  physical  assets,  and 
complying  with  many  government  and  industry  regulations.  But  it’s  easier  said  than 
done.  This  supplement  will  help  CSOs  examine  the  challenges,  and  opportunities,  in 
implementing  an  effective  solution  for  their  organizations. 
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What  does  it  take  to  make  con  vergence  happen  ? 

One  secret  is  to  sneak  up  on  it,  the  way  Constellation  Energy  did, 
by  seeming  to  be  doing  something  else  entirely. 


Security 


AT  FIRST  GLANCE,  THE  SECURITY  OPERATIONS  CENTER  FOR 

Constellation  Energy  Group  is  exactly  what  you’d  expect  from  a  high-tech  Fortune  500 
energy  company.  At  the  front  of  a  windowless  room  twenty-some  miles  from  the  com¬ 
pany’s  Baltimore  headquarters,  video  monitors  display  office  hallways,  a  trading  floor, 
electrical  substations  and  entrances  to  power  plants.  One  screen  is  permanently  tuned 
to  CNN,  which  seems  to  be  corporate  America’s  ubiquitous  intelligence  source.  Another 
shows  a  map  of  the  world.  Security  operators  are  busy  tracking  and  responding  to 
events  at  facilities  around  the  world.  A  smoke  alarm  goes  off  here,  a  door  is  held  open 
too  long  there.  The  usual. 

But  that’s  not  all  that’s  being  monitored. 

The  director  of  enterprise  security  checks  his  BlackBerry  and  then  speaks  in  a  low 
voice  to  the  supervisor  of  the  “information  protection”  unit,  previously  known  as  infor¬ 
mation  technology  security.  The  former  is  a  onetime  Marine,  with  closely  cropped  hair 
and  a  dark  suit  and  tie,  whose  background  is  in  corporate  security  and  executive  pro¬ 
tection.  The  latter  sports  a  well-groomed  mass  of  curly  locks,  a  soul  patch  beneath  his 
lower  lip,  no  necktie,  and  a  handkerchief  jutting  out  his  jacket  pocket.  Until  recently, 
he  reported  to  the  IT  department  rather  than  corporate  security.  Only  a  few  feet  from 
where  security  operators  are  monitoring  gates  and  guards,  these  two  very  different 


34  www.csoonline.com  April  15,  2005 


PHOTOS  BY  DANUTA  OTFINOWSKI 


extG«neration 


CASE  STUDY 


men  are  assessing  the  security  announce¬ 
ments  from  Microsoft  on  this  “patch  Tues¬ 
day.”  The  particular  workstation  they  stand  in 
front  of  displays  not  a  video  feed  but  a  secu¬ 
rity-incident  management  system  that  draws 
together  information  about  the  company’s 
firewalls,  intrusion-detection  systems  and 
other  network  operations. 

Welcome  to  a  converged  security  opera¬ 
tions  center— a  work  in  progress. 

“We  haven’t  made  a  full  determination  yet 
on  how  this  is  going  to  be  integrated,”  says 
John  Petmzzi,  the  former  Marine  who  is  direc¬ 
tor  of  enterprise  security,  as  he  surveys  the 
room.  Right  now,  two  workstations  are  used  to 
monitor  physical  systems,  and  a  separate  work¬ 
station  is  used  to  monitor  logical  or  informa¬ 
tion  systems.  But  Petruzzi  thinks  that  may 
change  within  the  year. 

“We’re  leaning  to  the  fact  that  we  can  get  it 
to  a  point  where  the  console  operator  will  be 
integrated,”  he  says.  “I  think  we’re  almost 
there.”  That  would  mean  that  each  security 
operator  would  monitor  all  kinds  of  security 
incidents,  both  physical  and  virtual. 

Call  it  integration;  call  it  convergence;  call 
it  holistic  security.  What¬ 
ever  its  name,  it  is  budding 
in  this  room  and  others 
like  it  across  the  country. 

In  2006,  according  to  For¬ 
rester  Research,  North 
American  companies  will 
spend  $1.7  billion  on  proj¬ 
ects  that  combine  tradi¬ 
tional  physical  security  and 
IT  security— more  than  five 
times  as  much  as  they 
spent  in  2004.  And  Con¬ 
stellation  has  undertaken 
the  most  ambitious  type  of 
convergence  project  of  all: 
the  wholesale  integration 
of  the  two  departments. 

Along  the  way,  those  involved  with  the 
project  are  facing  political,  logistical  and  cul¬ 
tural  challenges,  with  little  to  guide  them.  “I 
have  not  seen  a  repeatable  organizational 
model  for  a  completely  converged,  centrally 
managed  security  operation  [that  includes] 
physical  and  IT  security,”  Forrester  analyst 
Steve  Hunt  warns.  (After  this  story  was 


reported,  Hunt  resigned  from  Forrester  to 
launch  4AInternational,  a  security  consul¬ 
tancy  that  will  focus  on  convergence  strate¬ 
gies.)  But  he’s  delighted  that  companies  such 
as  Constellation  are  trying.  “With  good  man¬ 
agement,  anything  is  possible.  There’s  a 
chance  they  could  succeed  and  save  a  lot  of 
money  and  be  much  better  than  they  ever 
were  before  at  mapping  security  to  actual 
business  value.” 

What’s  more,  if  Constellation  has  its  way,  it 
could  even  be  mapping  out  how  the  next  gen¬ 
eration  of  security  will  look. 

The  New  Guard 

At  Constellation,  the  dramatic  transforma¬ 
tion  to  bring  together  information  security 
and  physical  security  can  be  traced  straight  to 
the  top— to  Mayo  Shattuck  III,  who  took  over 
as  chief  executive  just  weeks  after  the  terror¬ 
ist  attacks  of  Sept.  11,  2001. 

Shattuck  could  hardly  have  chosen  a  more 
tumultuous  time  to  leave  his  post  as  president 
of  Alex  Brown,  a  Baltimore-based  unit  of 
Deutsche  Bank,  to  take  the  reins  at  Constella¬ 
tion,  then  a  $3.9  billion  energy  generator  and 
distributor.  The  energy 
industry  had  already  been 
battered  by  the  California 
energy  crisis  and  concerns 
about  terrorist  attacks  on 
the  power  grid.  It  was  about 
to  absorb  another  blow, 
with  the  collapse  of  Enron. 
And  Constellation  itself  was 
in  turmoil.  On  the  heels  of  a 
failed  attempt  to  merge  with 
Potomac  Electric  Power, 
Constellation  had  just 
scrapped  a  plan  to  split  into 
two  companies:  a  regulated 
power  distribution  business 
and  a  nonregulated  produc¬ 
tion  and  trading  business. 
The  company  paid  $355  million  to  Goldman 
Sachs,  its  investment  partner,  to  get  out  of  the 
deal. 

It  was  time  for  a  regime  change.  It  was  time 
to  focus  on  risk. 

“Coming  from  the  banking  world,  I  was 
struck  by  the  lack  of  centralized  risk  manage¬ 
ment  on  day  one,”  Shattuck  says.  “It  was  prob¬ 
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ably  the  afternoon  of  day  one  that  I  decided 
that  immediately  I  needed  to  mirror  the  way 
in  which  a  universal  bank  [approaches]  risk.” 

As  Shattuck  remade  his  senior  manage¬ 
ment  team,  one  of  the  most  prominent  new 
players  to  emerge  was  John  Collins,  a  long¬ 
time  finance  employee  who  became  the  com¬ 
pany’s  first  chief  risk  officer  (CRO). 

“Originally  we  looked  primarily  at  the 
financial  risks— the  risks  around  our  market¬ 
ing  and  trading  operations,  the  risks  around 
our  loan-servicing  business,  commodity  price 
movements,”  Collins  says.  “At  the  same  time, 
my  vision  was  always  to  also  incorporate  oper¬ 
ational  risk.  Both  security  and  business  con¬ 
tinuity  planning  seemed  to  be  in  places  in  the 
organization  where  they  weren’t  really  get¬ 
ting  enough  high-profile  attention.” 

In  late  2002,  Collins  officially  expanded 
his  purview.  He  took  control  of  the  company’s 
business  continuity  and  corporate  security 
operations,  which  had  been  part  of  the  general 
services  department.  But  information  secu¬ 
rity  wasn’t  ready  to  make  the  move  just  yet. 

That’s  because  Beth  Perlman,  the  company’s 
first-ever  CIO,  was  still  trying  to  get  a  handle 
on  the  piecemeal  systems  that  had  grown  out 
of  decades  of  the  business  lines  operating 
independently.  “When  I  came  here,  you  could 
not  tell  that  all  the  divisions  were  part  of  the 
same  company,”  says  Perlman,  who  was  hired 
in  April  2002.  “If  I  wanted  to  access  our  HR 
system,  I  had  to  go  through  firewalls.  We  did 
not  have  one  IT  security  department;  we  had 
many  IT  security  departments.  The  first  step 
of  convergence  was  formulating  one  IT  secu¬ 
rity  group.  The  last  thing  I  wanted  to  do  was 
just  dump  something  that  didn’t  work.” 

By  this  point,  though,  the  players  were  all 
in  place.  Brandon  Dunlap,  supervisor  of  the 
information  protection  unit  under  the  risk- 
management  organization,  had  been  hired  to 
manage  IT  security.  And  Shattuck  himself 
had  brought  aboard  Petruzzi,  who  had  worked 
in  executive  protection  at  Alex  Brown.  Shat¬ 
tuck  trusted  Petruzzi,  who  had  accompanied 
him  on  trips  to  South  America  to  coordinate 
his  protection,  and  thought  that  Constella¬ 
tion  would  be  a  good  spot  for  Petruzzi  to  build 
and  broaden  his  career. 

As  it  turned  out,  Petruzzi,  now  just  34, 
would  broaden  a  lot  more  than  his  own  career. 
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“Comingfrom  the  hanking  world,  I  was  struck  by  the  lack  of 
centralized  risk  management.  It  was  probably  the  afternoon 
of  day  one  that  I  decided  I  needed  to  mirror  the  way  in  which  a 
universal  bank  [^approaches)]  risk" 

-MAYO  SHATTUCK  III,  CEO,  CONSTELLATION  ENERGY  GROUP 


Not  Just  Another  Project 

“We  started  [at  Constellation]  within,  what, 
two  weeks  of  each  other,  and  started  meeting 
almost  regularly  right  after  that,”  Dunlap  says 
to  Petruzzi,  as  Petruzzi  settles  into  a  chair  in  a 
conference  room  next  door  to  the  security 
operations  center.  Petruzzi  has  asked  his  three 
direct  reports  to  gather  here  on  this  January 
afternoon  to  talk  about  how  the  convergence 
process  is  playing  out. 

There’s  Dunlap,  with  his  cultivated  eccen¬ 
tricity  and  deep  technical  know-how.  (He’s 
on  the  faculty  of  the  Institute  for  Applied 
Network  Security.)  There’s  Frank  Woods,  a 
25-year  Constellation  veteran  who  used  to 
be  supervisor  of  the  security  operations  cen¬ 
ter  but  is  now  supervisor  of  a  new  access- 
management  unit,  which  will  handle  all  re¬ 
quests  for  logical  and  physical  access  compa¬ 
nywide.  Finally,  there’s  Dave  Feeney,  the 
newly  promoted  supervisor  of  the  security 
operations  center,  whose  emphasis  has  been 
on  making  sure  the  operators  hired  to  work  in 
the  center  have  plenty  of  tech  savvy. 

(Petruzzi’s  direct  manager,  Jack  Ryan, 
declined  to  be  interviewed  for  this  story.  Ryan, 
a  21-year  Constellation  employee  who  is  head 
of  corporate  security,  indicated  through  cor¬ 
porate  communications  that  “all  bases  have 
been  covered”  by  this  story’s  other  sources.) 

There’s  an  easy  banter  between  the  three 
men  and  their  new  manager,  and  a  vitality 
that  feels  more  like  an  Internet  startup  than  a 
century-plus-old  energy  company.  Petruzzi’s 
crew  had  already  dug  into  lunch  by  the  time  he 
arrived  from  headquarters  with  a  reporter  in 
tow.  Dunlap  makes  a  crack  about  Petruzzi  still 
not  letting  him  carry  a  gun.  The  conversation 
moves  fluidly  from  network  sensors  to  smart 
cards  to  concealed  duress  buttons  that  trigger 
alarms.  Wasn’t  it  always  this  way? 


The  convergence  process  didn’t  start  as  a  big 
explicit  project— and  this  is  key.  “We  didn’t 
have  a  name  for  it,”  Dunlap  says.  “We  didn’t  call 
it  ‘convergence.’  We  just  thought,  wouldn’t  it  be 
great  if  we  could  work  together  more  closely  for 
efficiency.” 

As  at  many  companies  that  have  brought 
together  physical  and  information  security, 
the  evolution  began  with  the  investigations 
group.  Because  investigations  were  conducted 
by  corporate  security  but  often  involved  data 
stored  on  computers  or  passed  through  e-mail, 
there  were  frequent  handoffs  between  corpo¬ 
rate  security  and  IT.  At  the  same  time,  the  IT 
department  was  growing  its  monitoring  capa¬ 
bilities.  Dunlap’s  staff  might  notice  inappro¬ 
priate  behavior  on  the  network  and  report  it  to 
investigations. 

“There  was  never  this,  ‘We’re  shoving  this 
down  your  throat,”’  Dunlap  recalls.  “It  was 
more  like,  ‘Hey,  if  you’re  doing  that,  you  really 
should  get  these  guys  involved.’” 

Meanwhile,  there  was  increasing  recogni¬ 
tion  that  information  security  belonged  under 
risk  management— not  technology.  This  was 
driven  partially  by  the  risk-management 
approach  that  Collins  was  spearheading  and 
partially  by  regulatory  concerns. 

“When  you  look  at  corporate  security,” 
Collins  explains,  “the  evolution  of  it  has  to  be 
with  information  technology  security,  because 
you  won’t  address  the  whole  security  environ¬ 
ment  unless  you’re  looking  at  it  together.  We 
also  think  that  it’s  the  right  thing  to  do,  because 
otherwise  you  have  the  IT  department  watch¬ 
ing  the  IT  security,  and  is  that  really  good 
internal  control?” 

There  were  financial  incentives  too.  Collins 
believed  that  combining  physical  and  IT  secu¬ 
rity  would  simply  be  more  efficient  and  effec¬ 
tive.  For  instance,  he  thought  the  company 


could  save  labor  costs  by  merging  network  and 
physical  access  monitoring.  Simply  put,  Con¬ 
stellation  wouldn’t  need  as  many  guards. 

By  summer  2004,  executives  started  map¬ 
ping  out  the  split.  IT  systems  maintenance 
would  stay  within  the  IT  department,  but  IT 
security  would  keep  track  of  any  maintenance 
required  from  a  security  perspective.  IT  secu¬ 
rity-renamed  “information  protection”  to  dis¬ 
tinguish  it  from  IT— would  operate  as  a 
consultant  to  IT.  “Gartner  lite,”  Dunlap  calls  it, 
referring  to  the  IT  consultancy. 

Here’s  how  things  would  play  out.  If  a 
change  needed  to  be  made  to  a  firewall,  the 
information  protection  group  would  make  a 
request,  and  the  IT  infrastructure  department 
would  carry  it  out.  If  there  was  unusual  activ¬ 
ity  on  a  port,  information  protection  wouldn’t 
disable  it;  they  would  call  the  network  techni¬ 
cians.  If  a  system  needed  to  be  patched,  infor¬ 
mation  protection  would  do  the  research  and 
testing  and  then  put  the  word  out. 

Complicated?  Yes.  But  it  made  sense. 

“We  said,  ‘OK,  this  is  a  segregation  of 
duties,”’  says  Perlman,  the  CIO.  ‘You  [security] 
are  a  consumer  of  the  tools.  We  [IT]  deploy  the 
tools.  Checks  and  balances.” 

Gradually,  as  the  IT  security  function  came 
together  and  started  to  operate  more  smoothly, 
its  staff  began  working  more  closely  with  secu¬ 
rity,  writ  large.  On  Oct.  1,  2004,  IT  security 
employees  officially  started  working  for  cor¬ 
porate  security.  The  switch  was  thrown. 

Power  Shift 

As  CIO,  Perlman  stood  to  lose  the  most.  After 
all,  she  was  giving  up  employees  and  budget, 
and  therefore  power.  But  if  this  bothers  her, 
she  doesn’t  let  on  during  a  meeting  with  a 
reporter  in  her  office  on  the  top  floor  of  Con¬ 
stellation’s  headquarters.  Her  lament  instead? 
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Now  that  IT  isn’t  directly  involved  with  inves¬ 
tigations,  she  says  with  a  laugh,  “I  don’t  get 
the  dirt  anymore.  That’s  what  I  miss.” 

In  truth,  Perlman  didn’t  lose  much  more 
than  a  few  headaches.  Only  12  IT  employees 
and  a  handful  of  contractors  made  the  move 
to  corporate  security— hardly  denting  her  staff 
of  550  full-time  employees  and  150  contrac¬ 
tors.  The  only  part  of  her  budget  that  has  been 
moved,  at  least  so  far,  is  for  security  salaries 
and  consultants.  IT  still  controls  the  budget 
for  everything  from  antivirus  software  con¬ 
tracts  to  smart  cards,  charging  back  costs  to 
the  business  units.  And  not  knowing  “the  dirt” 
anymore  means  that  Perlman  doesn’t  have  to 
drop  everything  to  deal  with  an  investigation. 

It  also  helps  that  she  trusts  Petruzzi.  “If  you 
don’t  trust  the  person  you’re  giving  the  group 
to,  forget  it;  it  will  never  work,”  Perlman  says. 
“While  we  were  cleaning  up  our  own  shop, 
we  were  working  on  building  trust  with  each 
other’s  groups.” 

Not  that  everything  is  perfect.  Perlman  and 
Petruzzi  are  still  finessing  the  line  between 
operations  and  security.  They’re  also  talking 
about  moving  more  of  the  budget  over  to  secu¬ 
rity  for  the  next  fiscal  year.  And  the  two  don’t 
always  agree.  Far  from  it.  For  instance,  they’re 
still  trying  to  work  out  the  best  way  for  trav¬ 
eling  employees  to  sign  onto  e-mail.  Right 
now,  employees  use  SecurlD  tokens  from 
RSA,  in  addition  to  passwords.  Perlman  feels 
that  the  tokens  are  an  expensive  bother  (one 
that  her  department  must  pay  for  and  sup¬ 
port)  and  would  like  to  phase  them  out. 
Petruzzi’s  team  thinks  other-wise. 

“The  question  is,  is  the  cost  of  that  infra¬ 
structure  worth  it,  or  are  there  other  measures 
we  could  take?”  Perlman  says.  “That’s  where 
we’re  having  an  argument.  [Petruzzi]  thinks 
the  other  options  that  we’re  offering  are  not  as 
secure,  so  we’re  trying  to  say,  what’s  the  risk?” 

“We  just  don’t  see  that  your  cost-avoidance 
by  doing  away  with  the  RSA  tokens  is  worth 
the  risk,”  answers  Petruzzi,  whose  informa¬ 
tion  protection  group  put  together  a  page-and- 
a-half-long  report  outlining  arguments  against 
the  change.  Gartner  lite. 

For  the  time  being,  the  two  have  tabled  the 
issue  until  they  address  a  new  identity  access 
and  management  plan  next  quarter.  In  other 
words,  they  have  agreed  to  disagree.  Their  rela¬ 


tionship  is  solid  enough  that  when  Perlman’s 
assistant  can’t  find  her,  she  looks  in  Petruzzi’s 
office.  The  RSA  tokens  are  still  in  use,  and 
Perlman  isn’t  unhappy,  because  no  one  has 
said  “no”  to  her  without  offering  options. 

“If  it  gets  to  the  point  where  somebody  says, 
‘You  can’t  do  that,’  and  doesn’t  offer  me 
options,”  that’s  when  the  new  structure  isn’t 
working,  Perlman  says.  “You  have  to  be  good 
collaborators.  You  have  to  understand  this  is  a 
business  problem  we’re  trying  to  solve.” 

The  Future  of  Security 

For  Petruzzi,  who  has  a  degree  in  criminal 
justice,  it’s  all  part  of  the  crash  course  he’s 
been  taking  since  joining  Constellation.  He’s 
taken  SANS  Institute  courses.  He  does  outside 
reading.  He  peppers  Dunlap  with  technical 
questions  about  solutions  they  are  consider¬ 
ing,  making  sure  he  has  a  sufficient  under¬ 
standing  of  the  risks  involved.  And  he’s 
encouraging  his  staff  members  to  do  the  same. 
In  fact,  he  has  told  them  that  their  perform¬ 
ance  will  be  evaluated,  in  part,  on  whether 
they  make  themselves  into  what  he  calls  “the 
new  breed  of  security  specialists.” 

Training  doesn’t  have  to  be  complicated.  It 
might  consist  of  a  few  symposiums  or  on-the- 
job  training  with  someone  who  has  a  different 
kind  of  security  background.  “It  doesn’t  mean 
you  have  to  be  an  expert,”  he  says.  “It  means 
you  need  to  be  able  to  stand  in  court  or  in 
front  of  executives  and  state  things  clearly.” 

Those  who  have  remained  at  Constellation 
through  the  turmoil  of  the  past  three  years  say 
they  have  embraced  this  new  strategy— largely 
because  both  IT  and  physical  security  staffs 
saw  their  positions  as  being  elevated. 

Woods,  who  runs  the  new  integrated  access 
management  unit,  remembers  “the  days  when 
corporate  security  existed  in  a  basement  under 
the  general  services  division.  It  was  like  the 
cleaning  personnel  and  then  security  below 
them.  We  didn’t  have  much  authority.”  Now, 
corporate  security  has  a  clear  line  to  the  CEO. 

Dunlap,  too,  saw  convergence  as  an  oppor¬ 
tunity.  “Before,  we  were  kind  of... I  don’t  want 
to  say  sequestered,  but  to  some  degree  we  were 
just  another  guy  at  the  table,”  he  says.  “We  saw 
coming  out  and  working  for  the  risk  manage¬ 
ment  group  as  a  kind  of  independence.  It’s  not 

Continued,  on  Page  40 
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Since  late  2001,  Constellation 
has  reengineered  its  leader¬ 
ship  along  risk  management 
lines.  Director  of  Enterprise 
Security  John  Petruzzi  was 
recruited  to  help  execute  the 
transformation. 
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How  the 
Stars  Aligned 

Merging  the  physical  and  IT  security 
departments  is  a  huge  organizational  change. 
Here  are  several  factors  that  helped  make 
convergence  happen  at  Constellation  Energy 
Group. 

Constellation  was  ripe  for 
change,  with  a  new  CEO 
who  had  replaced  most  of 
the  senior  management 
team. 


The  company  had  a  new 
focus  on  enterprise  risk 
management,  overseen  by 
a  chief  risk  officer  who  is 
concerned  with  operational 
as  well  as  financial  risks. 


As  a  heavily  regulated 
company,  Constellation  felt 
an  acute  need  to  establish 
segregation  of  duties 
between  the  management 
and  control  of  IT  systems. 


Convergence  didn’t  begin 
as  a  "project.”  It  started 
happening  naturally. 


The  CIO  didn’t  lose  much 
staff  or  budget  when  she 
gave  up  control  of  IT  secu¬ 
rity.  The  new  information 
protection  department 
operates  like  a  consulting 
service  to  IT. 


Both  the  physical  security 
and  IT  security  staffs 
perceived  their  status  in 
the  organization  as  being 
elevated.  -S.D.S 
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NextGeneration 
Security  case  study 


Every  Kind  of  Risk 

As  chief  risk  officer  of  Constellation  Energy  Group,  John  Collins  has  what  you  might  call 
a  diverse  risk  portfolio.  Collins,  whose  background  is  in  finance,  started  with  a  focus  on 
financial  and  credit  risks.  These  days,  however,  he  spends  about  one-third  of  his  time  on 
operational  risks,  including  physical  security,  information  security  and  business  continuity. 
We  talked  to  Collins  about  what  it’s  like  to  bring  together  all  those  risks. 

CSO:  As  someone  with  a  finance  background,  how  do  you  approach  operational  risk 
management? 

JOHN  COLLINS:  The  key  is  to  understand  your  operational  risk  but  put  it  in  financial 
terms.  We  look  at  each  of  our  critical  assets— whether  it  be  a  physical  asset  or  an  informa¬ 
tion  technology  asset— and  say,  “OK,  what  happens  if  we  lose  that  asset?”  If  the  financial 
implications  are  large,  then  we’re  going  to  make  sure  that  we  have  all  proper  measures  in 
place  [to  protect  it].  We’re  also  going  to  make  sure  we  have  a  business  continuity  plan  in 
place,  so  that  if  we  lose  the  asset— no  matter  how  much  protection  was  in  place— we  can 
continue  to  do  business. 

What  has  the  transition  into  managing  security  been  like? 

It’s  been  an  educational  process.  The  teams  have  spent  a  lot  of  time  educating  me  on 
what  is  physical  security,  what  is  IT  security— probably  more  on  IT  security.  You  can  see 
and  touch  physical  security;  IT  security  is  a  little  bit  tougher.  It’s  understanding  what  the 
regulations  are  that  drive  our  business,  what  our  vulnerabilities  are,  how  do  we  address 
our  vulnerabilities,  and  basically,  just  getting  a  handle  on  it. 

Is  managing  security  different  somehow  from  managing,  say,  credit  risk? 

The  types  of  employees  who  are  attracted  to  the  different  fields  are  different.  You  have 
to  manage  to  your  different  employee  populations.  You  understand  what  they’re  good 
at,  what  they’re  not  good  at,  what  their  likes  and  dislikes  are,  and  you  then  change  your 
management  style  appropriate  to  those  people. 

You  use  the  same  discipline  in  understanding  corporate  security  or  information  security 
that  you  do  in  understanding  credit  risk  or  financial  risk.  The  math  is  different;  the  dollars 
could  be  different,  but  you  want  to  use  the  same  approach.  What  we’ve  done  is  standard¬ 
ize  how  we  look  at  risk  across  the  enterprise.  I  think  that  gives  us  better  ability  to  go  back 
and  ask,  “Was  this  a  good  decision?"  We  don’t  always  make  perfect  decisions,  but  [the 
approach]  gives  us  a  pretty  solid  platform  to  evaluate  our  decisions.  -S.D.S. 
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that  we  necessarily  swing  a  bigger  stick,  but  we 
have  a  very  clear  escalation  path  that  doesn’t 
go  to  the  CIO  anymore.  It’s  not  a  server  main¬ 
tenance  problem.  It’s  a  vulnerability  manage¬ 
ment  problem.” 

As  for  Petruzzi,  he’s  getting  sawier  about 
navigating  that  escalation  path.  Collins,  the 
CRO,  has  led  him  to  approach  things  from  a 
financial  risk  management  perspective.  It’s 
been  an  education.  It  took  Petruzzi  three  tries 
to  get  his  first  business  plan  right. 

“The  first-year  approach  was  kind  of  going 
to  be,  let’s  just  let  things  run  how  they  are  and 
build  a  better  plan  instead  trying  to  come  out 
of  the  gate  with  this  plan  to  consolidate,  reduce 
costs  and  make  a  more  oversight-oriented 
business  function,”  Petruzzi  recalls.  “That 
didn’t  fly.  It  was  kind  of  like,  ‘That’s  not  going 
to  work.  I’m  a  finance  person.  I  want  you  to 
show  me  where  you  have  places  you  can  save 
costs  by  consolidation.’” 

Three  months  later,  Petruzzi  finally  got  the 
plan  approved  and  along  the  way  became  con¬ 
versant  with  the  finer  points  between,  say,  cost 
reduction  and  cost  avoidance.  Because  Collins 
is  chief  risk  officer  and  not  chief  financial  offi¬ 
cer,  Petruzzi  says,  the  focus  on  cost  savings 
doesn’t  happen  at  the  expense  of  good  security. 
“At  the  same  time  that  [Collins]  is  making  us 
be  financially  responsible,  he  also  is  saying 
we’re  only  going  to  go  to  a  certain  level  of  risk,” 
Petruzzi  says.  He  speaks  like  a  person  who  has 
transformed  from  someone  who  merely 
secures  assets  into  someone  who  analyzes  and 
balances  risks.  Could  it  be  that  at  the  CSO 
level,  the  “new  breed  of  security  specialist”  will 
not  be  a  security  specialist  at  all? 

As  for  Constellation,  it’s  still  too  early  to  say 
whether  the  project  truly  will  lead  to  the 
increased  efficiency  and  effectiveness  that 
the  company  is  expecting.  Hunt,  the  analyst, 
doesn’t  mince  words  about  the  odds  Constel¬ 
lation  is  up  against. 

“I  think  that  most  converged  departments 
lead  to  a  loss  of  efficiency,  of  effectiveness,  or 
[to]  utter  failure.  I  wish  it  weren’t  that  way.” 
Hunt  is  convinced  that  companies  will  just 
not  be  able  to  reconcile  the  cultural  differ¬ 
ences  between  the  two  departments.  He  also 
suspects  that  in  the  long  run,  the  most  effec¬ 
tive  “convergence”  may  lie  not  in  the  integra¬ 


tion  of  the  two  departments,  but  in  targeted, 
specific  projects  done  jointly— say,  the  instal¬ 
lation  of  a  new  access  management  system. 

Nevertheless,  it’s  hard  to  argue  with  what 
Shattuck  has  done  as  CEO.  Under  his  risk- 
focused  leadership,  the  company  has  tripled  in 
size.  On  the  2004  Fortune  500  list,  it  jumped 
from  position  352  to  203.  Revenues  for  2004 
topped  $12.5  billion,  increasing  from  $3.9  mil¬ 
lion  in  2001.  And  Shattuck  is  bullish  that  the 
new  structure  is  already  working. 

Every  Monday  he  begins  his  week  by  meet¬ 
ing  with  his  risk  management  committee.  Not 
only  does  he  get  a  window  into  the  company’s 
current  financial  risks,  but  he  finds  out  about 


security  vulnerabilities.  He  doesn’t  care  if  they 
are  physical  or  virtual,  only  whether  they  could 
hurt  the  company. 

“This  is  really  a  top-down  perspective,” 
Shattuck  says,  “but  for  me  [the  converged 
approach  is]  the  most  convenient  way  of  deal¬ 
ing  with  risks.”  ■ 

E-mail  Senior  Editor  Sarah  D.  Scalet  at  sscalet@cxo.com. 


Signs  of  Common  Sense 


Senior  Editor  Sarah  D.  Scalet  noticed  three  events  last 
year  that  illustrate  the  convergence  trend.  Read  “Signs 
of  Common  Sense”  at  www.csoonline.com/printlinks. 
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Register  now  with  your  priority  code  and  be  entered  into  a  raffle  to  win  a 
$200  gift  certificate  to  be  used  at  the  Marriott  Wardman  Park  Hotel 
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Relevant  best  practices  and  case  studies 
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Special  Pre-Conference 
Workshop  from  SANS 

The  Newest 
Additions  to  the 
Hacker’s  Toolbox: 
What  New  Weapons 
Are  They  Using 
to  Attack  their 
Victims? 

Presented  by  Eric  Cole, 
Ph.D.,  SANS  Institute 

Be  prepared  for  the  new 
threat  environment! 

This  SANS  short  course 
looks  at  the  evolution 
of  hacker  exploits  and 
where  they’re  headed. 
Separate  fee  of 
$395  applies. 


Better  than  the  rest? 

You  bet!  Last  year  more 
than  80%  of  surveyed 
participants  said  the 
Gartner  IT  Security  Summit 
was  better  than  similar 
conferences  they  attended. 
Register  today  at 
gartner.com/us/itsecurity 
and  discover  why  9  out 
of  1 0  participants  would 
recommend  Gartner 
IT  Security  Summit  to 
a  colleague. 


2005:  The  Year  of  Reckoning.  That’s  the  Imperative  for  IT  Security. 
Here’s  the  One  Conference  that  Meets  the  Demand... 


What  Are  the  Top  2005  Concerns 
of  IT  Security  Executives? 

According  to  our  recent  industry-wide  survey, 
they  boil  down  to  these  big  three: 

#1  Cost  containment.  Get  a  wealth  of  best 
practices  on  how  to  make  new  security 
investments  while  reducing  management 
overhead;  use  the  most  cost-effective 
strategies  to  protect  your  enterprise  from 
existing  and  emerging  attacks;  determine 
optimal  staffing,  budget,  and  more... 

#2  Compliance.  See  how  to  meet  regulatory 
compliance  without  breaking  the  bank; 
discover  how  other  country  regulations 
treat  privacy  and  security  issues;  pinpoint 
the  specific  information  security  require¬ 
ments  of  major  regulations  and  determine 
the  best  ways  to  support  them  enterprise¬ 
wide,  and  more... 

#3  Formalizing  an  enterprise-wide  IT 
security  strategy.  Discover  how  to 
integrate  security  into  company-wide 
management  initiatives;  evaluate  security 
department  organizational  structures, 
return  on  investment,  and  response  to 
regulatory  requirements;  assess  cutting- 
edge  tools  and  technologies  for  protecting 
your  enterprise  networks,  applications  and 
data,  and  judge  whether  they’re  the  right 
fit  for  your  strategy,  and  more... 

Why  Now? 

Because  your  information  security  strategy  must 
address  the  big  picture  needs  of  your  enterprise 
and  not  just  one  problem  or  a  handful  of  vulnera¬ 
bilities.  It  needs  to  be  ready  and  resilient,  thwart¬ 
ing  new  external  threats  and  responding  to  new 
internal  pressures  coming  from  the  top  down. 

Our  renowned  team  of  Gartner  IT  security 
analysts  has  crafted  a  thorough  and  timely 
agenda  organized  around  the  key  principles 


that  support  a  sound  master  strategy  for 
information  security  across  the  enterprise. 

The  pressure  is  on  to  deliver  ROI  in  an 
increasingly  complex  and  challenging 
environment.  Here’s  the  conference  that  will 
help  you  secure  solid  results  with  brand  new 
content  for  the  fast  evolving  world  of  IT  security. 
Consider  it  your  strategic  guide  to  IT  security 
for  2005  and  beyond. 

How  Will  You  Benefit? 

With  fresh,  timely  information  and  insight  from 
our  crack  team  of  analysts,  security  gurus  and 
industry  experts.  They’ll  show  you  how  to. . . 

•  Cut  through  the  hype  to  determine  which 
threats  pose  a  true  risk  to  your  enterprise. 

•  Make  specific  recommendations  on  new 
architectures  that  will  improve  security 
while  saving  money. 

•  Rely  on  industry  best  practices  rather 
than  expensive  point  solutions  to  meet 
regulatory  requirements. 

•  Determine  which  elements  of  your  IT 
security  and  privacy  processes  are  suitable 
for  outsourcing. 

•  Link  information  security  investments  to 

overall  enterprise  risk  management  strategies. 

•  Securely  deliver  business  services  in  a 

24x7  operating  environment. 

•  Get  the  latest  take  on  today’s  hot  topics 
from  “in-the-cloud”  firewall  services  to 
identity  management  and  business  continuity 
planning. 

Who  Should  Attend? 

CIOs,  CSOs,  CTOs,  VPs/Directors  of  IT, 
Network  Managers,  Risk  Managers,  Auditors, 
and  Senior  Business  Executives,  whose  jobs 
include  enterprise-security  responsibilities  and 
critical  infrastructure  protection. 


An  Exceptional  Lineup  of  Guest  Speakers,  along  with  the  Gartner  Team  of  Analysts,  Pave 
the  Way  to  Better  IT  Security 


Security  Guru  Roundtable _ 

Join  Bruce  Schneier,  and  top  Gartner  analysts  John  Pescatore 
and  Jay  Heiser,  to  parse  the  complex  issue  of  information 
security  in  2005:  next  generation  threats  and  products  and  the 
best  ways  to  secure  funding. 

Bruce  Schneier 

An  internationally  renowned  security  expert  and 
publisher  of  the  influential  newsletter  “Crypto-Gram,” 
Bruce  Schneier  is  the  author  of  eight  books,  including 
the  bestselling  Beyond  Fear:  Thinking  Sensibly  about  Security 
in  an  Uncertain  World. 

CyberCzar  Panel:  The  Government  and  CyberSecurity 

Bob  Woodward  moderates  as  former  CyberCzars  debate  the 
government’s  role  in  regulating  information  security. 

t  Roger  Cressey 

As  president  of  Good 
Harbor  Consulting, 

_ I  Roger  Cressey 

advises  clients  on  homeland 
security,  cybersecurity  and 
counterterrorism  issues. 

Cressey,  who  is  currently  an 
on-air  counterterrorism  analyst 
for  NBC  News,  served  as 
Chief  of  Staff  to  the  President’s 
Critical  Infrastructure  Protection 
Board  from  2001  to  2002. 

Howard  A.  Schmidt 

Recognized  world¬ 
wide  as  a  leading 
expert  on  cyber¬ 
security,  Howard  Schmidt  is 
chief  information  security 
officer  for  eBay  and  Chief 
Security  Strategist  for  the 
US  CERT  Partners  Program. 

Prior  to  joining  eBay  in  2003, 
he  served  as  special  adviser  to 
President  Bush  for  cyberspace 
security  and  was  CSO  for 
Microsoft. 


Bob  Woodward 

Named  one  of  the 
best  investigative 
reporters  in  America 
by  The  New  York  Times, 
Pulitzer  Prize-winning  Bob 
Woodward  has  been  the 
Assistant  Managing  Editor  of 
Investigative  News  for  The 
Washington  Post  since  1982. 
Since  first  gaining  national  atten¬ 
tion  for  breaking  the  Watergate 
story,  he  has  written  or  co¬ 
written  nine  #1  national  best¬ 
selling  non-fiction  books,  includ¬ 
ing  All  the  President’s  Men,  and 
most  recently,  Plan  of  Attack. 


Amit  Yoran 

Amit  Yoran  is  an  inde¬ 
pendent  director  and 
advisor  to  several 
early  stage  security  technology 
companies  and  large  corpor¬ 
ations.  From  2003  to  2004,  he 
was  the  Bush  Administration’s 
cyber  chief,  responsible  for 
coordinating  the  national  activi¬ 
ties  in  cybersecurity.  He  also 
served  as  the  Vice  President  of 
Worldwide  Managed  Security 
Services  at  Symantec. 


IT  Security  Best  Practices 

Find  out  what  works  best  in 
these  changing  times. 

Phillip  Maier 

A  recognized 
speaker  on  security 
topics,  Phil  Maier 
is  VP  Information  Security, 
Emerging  Technologies 
at  InovantA/isa.  He  is 
responsible  for  overseeing 
the  evaluation,  design  and 
implementation  planning 
for  information  security 
technologies. 


The  Networks  as  a 
Front  Line  Security  Device 

Find  out  how  AT&T  is  managing 
security  in  an  environment  of 
escalating  attacks. 

Edward  Amoroso 

«  ^  *  Dr.  Edward  Amoroso 
wj  \  is  Chief  Information 
■  Security  Officer  at 
AT&T.  He  holds  adjunct  faculty 
positions  at  Stevens  Institute 
and  Monmouth  University  and 
is  a  frequent  lecturer  on  topics 
related  to  systems,  network, 
and  Internet  security. 


Zombies  on  Trial:  Who  is  Liable? 


In  this  mock  trial,  plaintiffs  sue  for  lapses  in  IT  security  and  the 
audience  serves  as  the  jury. 


Stewart  Baker,  Esq. 

Described  by  The 
Washington  Post  as 
“one  of  the  most 
techno-literate  lawyers 
around,”  Stewart  Baker  is  a 
partner  in  the  Washington 
Office  of  Steptoe  &  Johnson. 
His  practice  covers  national 
security,  electronic  surveillance, 
law  enforcement,  export  con¬ 
trol,  and  technology  issues. 


fBen  Wright,  Esq. 

One  of  the  world’s 
leading  technology 
lawyers,  Ben  Wright 
is  the  author  of  several  law 
books,  including  The  Law  of 
Electronic  Commerce,  and 
most  recently  Business  Law 
and  Computer  Security.  During 
20  years  of  private  practice,  he 
has  consulted  with  a  variety  of 
organizations  including  the 
World  Bank  and  IBM. 


William  Marlow 

William  Marlow  is 
an  internationally 
recognized  authority 
on  information  security  and 
risk  and  critical  infrastructure 
protection.  He  has  consulted 
worldwide  with  governments, 
corporations  and  financial 
institutions  in  various  aspects 
of  critical  infrastructure  protec¬ 
tion.  Presently,  he  chairs  the 
U.S.  Government  Critical 
Infrastructure  Protection 
Emerging  Technology  Forum. 
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Team  Discount:  When  you  register  five  colleagues  from  the  same  company  at 
the  same  time  with  payment,  the  fifth  colleague  may  attend  free!  Standard  pric¬ 
ing  applies.  Discount  invalid  for  Gartner  ticketholder  and  special  pricing  options. 

Money-Back  Guarantee 
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Gartner  IT  Security  Summit  •  June  6-8, 2005  •  Washington,  D.C. 
gartner.com/us/itsecurity 

Three  full  days  and  more  than  50  sessions! 

Here’s  just  a  sampling  of  what’s  covered: 


compliance  issues 

next-stage  solutions  for  fire¬ 
walls,  intrusion  prevention 
and  anti-malware 

malicious  code  and  spyware 

behavior  blocking 
technologies 

network  access  control 
social  engineering 
digital  forensics 
in-the-cloud  services 

identification  and 
authentication  strategies 

security  standards  for  B2B 
gateways 


VPNs 

patch  and  vulnerability 
management 

business  continuity  planning 

best  practices  in  security 
architectures 

consolidation  within  the 
security  market 

managing  mobile  devices 

security  dashboards 
and  metrics 

VoIP  best  practices 

the  secure  e-mail  boundary 

biometrics 

web  services,  and  MORE! 


Marketing:  brand  protection 
I:  regulatory  compliance 


MK,  privacy 
IT:  business  continuity 


What  Keeps  the  CSO  Up  At  Night? 

Connecting  security  solutions  to  business  realities  is  central  to  the  CSO  role.  They 
must  understand  what  risk  means  to  their  company  and  how  to  balance  that  risk  with 
business  opportunity  After  all  the  CSO  is  responsible  for  all  aspects  for  the  company’s 
security  but  is  also  a  business  executive  with  an  eye  on  the  bottom  line. 


CEO:  wants  the  company’s  employees,  assets  and  information 
protected  without  compromising  the  ability  and  agility  to  capitalize 
on  business  opportunities 


CSO:  connecting  all  aspects  of  physical  and  information  security 
with  business  realities,  partnering  with  executive  peers  and 
communicating  risks  and  solutions  throughout  the  company 


CSO 

The  Resource  for 
Security  Executives 


CSO  is  the  preferred  resource  catering  to  the 

expanding  information  needs  of  today’s  strategic  security 
executives.  CSO  provides  CSOs  with  the  resources  they 
need  to  make  their  companies  secure  and  competitive  in 
today’s  ever  changing  business  environment. 


wvvw.csoonline.com 
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Executives  are  gathering  at  a  sensitive  o 
meeting.  Can  you  spot  12  risks— some  p> 


At  an  offsite  meeting,  convergence  is  not  a  theory.  It’s  a 
real-world  necessity.  There,  gathered  in  a  room  that  may 
be  thousands  of  miles  away  from  headquarters,  is  every 


imaginable  risk  to  a  company’s  intellectual  property— 
from  loose-lipped  catering  staff,  to  hacked  Internet 
connections,  to  surreptitious  recording  devices.  No 
matter  how  sumptuous  the  site,  the  risks  are  real, 
especially  when  the  meeting  involves  the  company’s 
long-term  strategy  or  other  sensitive  information. 
And  securing  the  meeting  requires  a  broad  spectrum 
of  both  digital  and  physical  defensive  measures. 

Businesspeople  may  well  ask,  ‘“These  are  fine  hotels 
that  we’re  going  to— what  could  possibly  happen 
there?”’  according  to  Dave  Kent,  CSO  of  biotech  com¬ 
pany  Genzyme.  Kent’s  answer  to  that  question  is 
“Plenty.” 

“People  will  come  in  and  try  to  get  into  the  meet¬ 


ings,”  he  says.  “It  could  be  independent  financial  ana¬ 
lysts  who  are  trying  to  get  some  advance  bits  of  infor¬ 
mation  for  the  mosaic  they  need  to  project  where  the 
company  is  headed.  It  could  be  competitors.  It  could 
be  people  who  just  want  to  eat  the  food.  If  you’re  not 
careful,  the  opportunity  could  be  there  for  someone  to 
do  something  they  wouldn’t  normally  do— so  why 
make  it  easy?” 

In  fact,  why  not  make  it  as  hard  as  possible? 

To  illustrate  the  risks  at  a  typical  offsite  meeting, 
CSO  worked  with  security  consultant  Richard  Heffer- 
nan  to  create  the  graphic  at  the  top  of  this  page.  There 
are  (at  least)  12  things  in  this  picture  that  should  raise 
the  eyebrows  of  the  converged  CSO. 
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Riskl 

Risk  4 

be  planted  in  drop  ceilings 

Risk  10 

Signs  outside  draw  attention 

Reports  from  the  printer  or 

or  adjacent  rooms,  or  hidden 

Wireless  microphones  are 

to  the  nature  of  the  meeting. 

copy  center  have  not  been 

in  plain  sight— disguised  as 

transmitting  meeting  content 

Fix:  Signs  should  say  “Private 

secured. 

smoke  detectors,  clocks  or 

outside  the  room. 

Meeting.” 

Fix:  Have  the  printer  sign  a 

even  pens. 

Fix:  Make  sure  that  all 

Bonus  points:  For  especially 

confidentiality  agreement  and 

Risk  7 

unencrypted  wireless  micro- 

sensitive  meetings,  book  the 

agree  not  to  tape  the  original 

phones  have  been  removed 

whole  affair  under  a  fictitious 

copy  to  the  outside  of  the  box, 

Catering  staff  could  be 

from  the  room,  and  replace 

company  name.  Also  consider 

where  it  can  easily  be  perused. 

hired  or  paid  off  by  corporate 

them  with  encrypted  ones. 

9 

setting  up  a  white-noise  machine 

Provide  for  secure  transporta- 

spies. 

Bonus  points:  Bring  your 

outside  the  conference  room  to 

tion  to  and  storage  at  the 

Fix:  Make  sure  the  hotel’s 

own  wireless  microphones  in 

prevent  anyone  from  standing 

meeting  location. 

general  manager  or  meeting 

case  the  conference  center 

outside  the  door  and  eaves- 

Bonus  points:  Give  attendees  a 

planner  has  signed  a  confiden- 

doesn't  have  them. 

dropping. 

secure  way  to  get  the  materials 

tiality  agreement  on  behalf  of 

Risk  11 

Risk  2 

they  need  back  to  headquarters, 

the  hotel  and  staff. 

perhaps  by  providing  self- 

Bonus  points:  Pick  the  confer- 

The  audio-visual  technician 

Participant  is  checking  her 

addressed  FedEx  envelopes. 

ence  site  carefully.  Even  a 

who  is  running  the  projection 

w 

e-mail  using  the  hotel’s 

Risk  5 

reputable  chain  hotel  is  only 

equipment  has  stored  all  of  the 

high-speed  network. 

as  good  as  the  general  manager 

presentations  on  her  laptop. 

Wi 

Fix:  Set  up  a  secure  support 

A  second,  more  subtle  risk 

of  a  particular  site. 

Fix:  Make  sure  the  audio-visual 

room  with  a  computer  and  dock- 

associated  with  local  copy 

Risk  8 

company  has  signed  a  confiden- 

ing  station  that  are  connected  to 

centers  or  shipping  stores: 

tiality  agreement.  At  the  end  of 

r*;. 

headquarters  via  a  virtual  private 

Offsite  attendee  may  have 

Coffee  urns  could  contain 

the  day,  erase  all  the  presenta- 

network,  where  your  company’s 

received  a  sensitive  fax. 

hidden  surveillance  devices. 

tions  from  the  technician’s 

employees  can  check  their 

Fix:  In  the  secure  support 

Fix:  Be  wary  of  anything 

laptop.  This  should  be  done 

e-mail  or  do  other  tasks. 

room,  include  a  fax  machine, 

brought  into  the  room  after  it 

using  a  small  program  that  the 

Bonus  points:  Encourage 

photocopier,  high-quality 

has  been  swept  for  bugs. 

security  staff  has  on  a  diskette, 

attendees  to  leave  their  laptops 

printer  and  paper  shredder  so 

Bonus  points:  Keep  the 

which  will  wipe  and  rewrite 

at  home  and  use  BlackBerrys 

that  people  won’t  have  to  use 

amount  of  food  service  equip- 

the  information  on  the  hard 

instead.  Not  only  do  they  con- 

local  copy  shops  or  the  hotel 

ment  in  the  room  to  a  minimum 

drive. 

tain  less  sensitive  information 

business  center. 

to  decrease  the  number  of 

Bonus  points:  If  the  room 

than  a  laptop,  they’re  small 

Bonus  points:  Consider 

places  a  surveillance  device 

has  windows,  make  sure 

enough  that  individuals  are 

securing  another  extra  room  to 

could  be  hidden. 

projection  equipment  faces 

more  likely  to  keep  them  on 

be  used  as  a  lounge.  Keep  it 

away  from  them  so  that  no 

their  persons. 

stocked  with  snacks  and  drinks, 

Risk  9 

one  outside  can  see  what's 

Risk  3 

and  encourage  people  to  take 

The  service  door  is 

on  the  screen. 

breaks  there  rather  than  in 

unprotected. 

Risk  12 

An  employee  has  left  his  laptop 

public  areas. 

Fix:  Make  sure  that  all  service 

unattended. 

Risk  6 

doors  are  locked  whenever 

An  uninvited  guest  has 

Fix:  Provide  an  area  where 

security  is  not  present.  Monitor 

wandered  into  the  room. 

participants  who  need  to  bring 

The  room  could  have  been 

back  corridors  during  the  event 

Fix:  A  security  officer  should 

their  laptops  can  securely  check 

wired  for  sound  and  video 

if  necessary. 

be  stationed  outside  of  the 

them. 

before  your  company 

Bonus  points:  The  locks  on 

room  at  all  times,  checking 

Bonus  points:  Before  the  meet- 

arrived. 

all  the  doors  to  the  room  should 

those  who  enter  against  a  list 

ing,  send  out  a  letter  reminding 

Fix:  Before  the  meeting, 

be  re-cored,  and  only  the  hotel 

of  those  who  are  invited. 

attendees  to  leave  their  laptops 

sweep  the  room  for  bugs 

manager  and  the  company’s 

Bonus  points:  Include  photo- 

in  the  designated  area  rather 

using  professional  counter- 

security  staff  should  have  the 

graphs  of  the  participants  on 

than  in  their  hotel  rooms,  if  they 

surveillance  equipment.  Then 

key.  If  the  room  can’t  be  locked 

this  list.  ■ 

need  to  bring  their  laptops  at  all. 

make  sure  the  room  is  locked 

for  some  reason,  a  security 

This  letter  should  be  signed  by 

or  supervised  at  all  times. 

officer  should  be  stationed  in 

-lirn : *  < 

the  senior-most  person  attend- 

Bonus  points:  Don’t  forget 

the  room  starting  after  the  bug 

What  risks  have  we  missed?  Go  online  and 

ing  the  event. 

that  surveillance  devices  can 

sweep. 

tell  us  at  www.csoonline.com/offsite. 
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friends  that  you  were  in  CSO. 


But  it’s  even  better  to 
show  your  customers. 


What  better  way  to  inform  your  key  customers 
of  your  editorial  coverage  in  CSO  than  through 
customized  Editorial  Reprints? 

Leverage  the  positive  impact  of  your  editorial 
coverage  by  using  reprints  for  direct  mail 
campaigns,  seminar  promotions,  employee 
communications,  recruiting  and  marketing 
programs.  Let  us  enhance  your  reprints  with 
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message.  Reprints  make  great  SALES  tools 
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in  the  hands  of  your  customers. 
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editorial  reprints  in  volume  quantities, 
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Women  of 
Influence 
Awards 


CALL  FOR  NOMINATIONS 


The  Executive  Women’s  Forum 
(EWF)  honors  four  women  for  their 
accomplishments  and  leadership 
roles  in  the  fields  of  security,  risk 
management  and  privacy.  Winners 
are  announced  at  an  awards  cere¬ 
mony  during  the  EWF  Conference, 
Mastering  the  Art  of  Leadership, 
September  14-16,  2005  at  the 
Sheraton  Wild  Horse  Pass  Resort  & 
Spa  in  Phoenix,  AZ.  For  additional 
information  go  to: 
www.infosecuritywomen.com 

Please  nominate  your  peers, 
clients  and  customers  for  this 
influential  award,  co-presented 
by  CSO  magazine  and  Alta 
Associates. 

Nomination  form  available  at 

www.csoonline.com/woi-nomination 

NOMINATIONS  MUST  BE 
SUBMITTED  BY 
AUGUST  1,2005 


Media  sponsor  and  awards  co-presenter: 

CSO 

The  Resource  for 
Security  Executives 


Forum  host  and  awards  co-presenter: 


/)tt*  fPwOCAffct 

Specialists  in  Executive  Recruitment 


April  15,  2005  www.csoonline.com  47 


Home  Cookin’ 


mm 

gainer  on  the  inside. 

conTeSre^ 

.heappet.e,0’^,,/^ 


rv<u  «  ui  inrosi 

Ingredients 

1  tbs.  resolve 

(chnlleS<°f  physical  security 
(chosen  from  best  practices) 

16  spears  of  fresh  infosecuritv 
Practices,  technical  roots  V 
tnmmed  off 

1  cup  of  cheesy  business-sneak 
wm-win.  seamless,  synergS 
whatever’s  on  hand)  g  *  ' 
Choice  of  garnish 


*  "jMcai  security 

Directions  ^ 

S~a."s  " 
»£SSS» 


fSiH-5* 

6  Whke  f0r  several  weeks. 

=onvergnenceP)'aSr™Sh  W,th  "ew 

(avoid  fntense  h  V0Ur  choice 
here  « th  *  ’  °nd  Amishes 
thedlshtwftyhtendt00verwhelm 

aish  with  expectations). 


main  course 

‘ray  to  grill  security  for  . 

sSsSsft* 

S?!5Sia«— 

SZyZTrconm^°: 

Makes:  approx,  enough  for  one 
converged  security  operation  t 

a  large  corporation  should  ha  J 

enough  left  over  for  subsidiaries 


Grilled  and  Skewered  Surf  &  Turf 

Ingredients 

Tn.k  1  »\! 


Ingredients 

1"urf:  1  pound  of  chnieo  , 
Physical  security*  °  Ce  thlCk~cu‘ 

SSsrt6rmfs?infosecuriiy. 

Dones  of  contention  removed* 

1  large  fresh  clove  of  rkk  =  , 

chopped  (can  use  °os  fb/nS315' 

Penetration  tests  frm  ■  !'*’ 

asS? 

»Sb°LmiXed/Ch0pped 

Pinch  of  chutzpah 

marinade) S°y  sauce'  thyme  (for 


dessert  Geek- 


Directions 

k  Preheat  unused  office  soarp 

offsite  retreat.6  space  (Possibly 
staff  I  icfl  3t  ’  marinate  security 
staff.  Use  enough  oil  to  prevent 

sSr2? 

requires  thyme  The  tonS^'00 
marinate,  the  smoother  your  °U 
convergence  will  taste  Y 

themcrcTo?',hCeSPaCe»,h 


and  seal  off  the  room  ' 

J  Gnl1  team;  CAUTION— Do  not 
leave  room  unattended  n  n°* 
^.themarbK*^ 

flare  upLSeCUritVCOuld  couse 

chaTraSe  ?e™d'Cal|y;  surf&  turf 
remove  staff  from  the  room  « 

hea°,k|s!:™?„n,!:"UeeVe"a',to 

'According  to  research 

CO “ 
cases,  corporate  death. 


This  nouveau  take  on  an  all- 
and  wfh  please  everyone  l°t  ThT 

but ItlaTess"^  convergence— 
tastes  sooooo  goo-ooood! 

rZPL.  l'me:  approx- 1  morning 

Readv'i'n^a  approx‘ 1  afternoon 
weady  in.  approx.  1  day 

pSSSSS* 


— 'cu.ty  Uirougnout  p,c„  'aiaiseoi 

ses'  corPorate  deati 

«ard  Cobbler  with  VanUla  Glaze  ,h  xt 

Ingredients  <l/X  4  iUltlOll:  Nuts! ) 

3  cups  of  sweetened  data  Directions 


[ngredients 

,3/?ps  of  sweetened  data 
^UP  sugary  spreadsheets 

3  buttered-up  guards 

SaSnSlS^S^ 

2  cans  of  fruity  RO,  (for  S  } 
5  tbq  cdopPed’  mixed  nuts 
extra  s«n'a  glaze  (to  P  rovide 


Directions 

sweetened  datareuga^  CPmb'ne 

spreadsheets,  buttereci-un 

uPfomat'crveSncTrasr11 

topping  each  with  nuts.  P  P S  ' 


*]5 St?  Unii!d°"0ps  harden 
substance^  °°k as  d  ihey  have 

Sr^^ceroom 

•  chlll:  serve  with  ice  cream. 


48  www.csoonline.com  April  15,  2005 


But  one  problem... 


Everyone  can  easily  access  multiple  systems. 


...And  here  comes  the  Auditor. 


Non-compliance  can  cost  you  millions.  Symark  solutions  secure  your  UNIX/Linux  accounts  and  passwords,  and  protect 
your  ROOT  passwords  and  privileges,  while  delivering  detailed  Logs  and  Reports  for  UNIX/Linux  Audits  and  Regulatory 
Compliance,  like  SOX,  GLBA,  and  HIPAA. 


To  see  how  to  strengthen  your  UNIX/Linux  security,  get  a  FREE  copy  of  our  white  paper,  "Passing  UNIX/Linux  Audits 
and  Meeting  Regulatory  Compliance,"  visit  www.symark.com.  Or,  call  us  at  800-234-9072  to  schedule  a  live  Webex 
demonstration  and  mention  this  ad  to  receive  your  special  5-System  Starter  Pack  pricing. 


PowerKeeper 

Secure  storage  and  access  of 

ROOT  passwords 

■  Hardened  appliance-based  solution 
for  easy  deployment 

■  Passwords  are  stored  with  AES  and 
signed  with  X.509  certificates 

■  Passwords  are  accessed  using  only 
HTTPS  and  secure  authentication, 
with  optional  "Approver"  authorization 

■  Automatic  "strong"  ROOT  password 
generation  and  scheduled  resets 


PowerPassword 

User  Management  Edition 

■  Centrally  deploy,  modify,  and  delete 
UNIX/Linux  accounts 

■  Fast  and  easy  UID/GID  synchronization 

■  Strengthen  password  composition, 
enforce  aging  and  lockouts 

■  Control  who  may  login  to/from  which 
hosts,  when,  method,  and  conditions 

■  Detailed  Reports  for  all  account  and 
login  activities 


PowerBroker 

Root  Privilege  Delegation 

■  Securely  delegate  root  and  other 
special  account  privileges  (e.g.,  oracle) 

■  Define  who  may  run  which  privileged 
UNIX/Linux  tasks,  to/from  which  hosts, 
when,  and  under  what  conditions 

■  Detailed  user  task  logging  down  to 
the  keystroke 


■  Detailed  Reports  of  all  ROOT 
password  requests  and  releases 

■  Also  supports  Windows, 
database,  router  and  firewall 
Administrative  passwords 


POWERKEEPER®  •  POWERBROKER®  •  POWERPASSWORD®  User  Management  Edition 


Not  just  secure.  Symark  secure. 


--  SYMARK 


800-234-9072  I  www.symark.com 


EASY  TO  DEPLOY  •  GRANULAR  CONTROL  •  EXCEPTIONAL  SUPPORT 


©2004  Symark  International.  All  Rights  Reserved. 


Are  you  concerned  about  the  high 
volume  of  data  theft  in  the  news? 


You  should  be. 

The  risks  are  far  greater  to  not  have  an  application  security  solution  in  place.  Find  out  how 
NetContinuum™  protects  corporations  and  keeps  them  out  of  the  news  -  call  408-961-5600 


NetContinuum™  invites  YOU  to  listen  to  Jim  Slaby,  Senior  Analyst,  Security  Solutions  &  Services,  of  Yankee  Group™  while  he 
reviews  some  of  the  most  recent  security  breaches  and  how  security  best  practices  are  approaching  these  very  real 

concerns  around  application  security. 

Don’t  miss  this  webinar  with  Jim  Slaby  of  Yankee  Group™.  Mark  your  calendars  for  this  special  event  on  May  I  7th,  2005 
at  10:00  am  PST/ 1:00  pm  EST.  Go  to  www.netcontinuum. com/welcome/0505  to  register  for  this  webinar 
and  also  receive  our  newest  whitepaper  on  Best  Practices  in  Application  Security! 

NETCONTINUUM  .  www.netcontinuum.com  .  408.961.5600 


World's  most  powerful  application  security  firewall 


